23542300x800000000000000038931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:47.484{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3797E52576EC4F0C02A6BCEBA2CA807F,SHA256=3E1D23D7FFCC044AFF82DAC5062C6D68E9F7EC3F703A0A4D063E199D547799D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:45.967{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59520-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:48.577{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0E7D361DA202FBC7C6C0998F9FA512,SHA256=24BF423DC2743D6978E0DDDBBEC4643AB1C689046CA262305662854BFB2A9844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:48.433{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-020MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:48.004{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B2BC9D81B95B7C7BEE72B02ECCB9C1,SHA256=C675FDF4D0F8D2EBB5575CA9C27BBF61245F5D0E7A690565659BBDEC3DB21AFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:46.686{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49950-false10.0.1.12-8000- 23542300x800000000000000038934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:49.658{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83975160A4599013CC990111985D4A37,SHA256=7E664ABA07381DAF719E1503E14BE3D74FA98D46C69DFEEF2EAF819B8C6B3B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:49.443{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:49.093{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEBE1756F9D459D37FFD8A345A72612,SHA256=238C197F1AF7DFDFF4F9F9B1483849187095A4104F43FFE20C50120721DB3821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:50.753{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BE94AB0A6FA61A3BE70836DC3857BC,SHA256=2D555A4C89D8260ADAB7354C9EEE0C1409E57D587FFC79B563FF8195D6C384ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:50.198{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AC1567B6B2F60B213949D937797D18,SHA256=F1920437AE8A4A91B436EED7B4C069829DAF41F0B951C0C7117EEE6E81F5134D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:51.857{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1900EA90A65C9B4283DB9D9017117A2A,SHA256=9DE3784FD38F0476B9F55D0074531259B1FB2CCC21B5AA603747F041F52A5B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:51.300{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5BDD715837D1F5E4C60A0432A2E81E,SHA256=6D961547A0DFE1AA14BE65715ED49C920A1EA0687D0E461BF7F9B477C21A37B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:52.951{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC0E2706A3AF4E1CB24E4CBB1EA2E12,SHA256=601537F8505E7DDA559C0CB1E220E8DA81B5C05433A3BEA1BC7310E471AEBA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:52.404{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D4F42109549A1EDC4CEFC4785CB44D,SHA256=142B2DD509E47959346E96F3582637999A6D3854B9E151EBCA9B6EC07F3513EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:53.713{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A06CF677DFAC51D5D4794BA1504A3D,SHA256=DAB1E993E412ACB5F608F3479F81AA21877CE019E472B90ABD0AFDC4871324C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:51.864{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59521-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000038938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:51.720{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49951-false10.0.1.12-8000- 23542300x8000000000000000101625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:54.695{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E357EF043EBABA1215C8075F3F3FB30,SHA256=516941F90CC2E17DF2935BFB674432BC08DCAD4C5CEA1D3796ADBB857F79D698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:54.056{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB7B01FC54031BA122C84DD9E1B2799,SHA256=8259D0E403F9F1F7A0351C2E9BB83C42C330B2DE680DC006CD7642A174754575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:55.791{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11DBDE0A97F934894E6ED2E089FD3A8,SHA256=A781CBDA9205A6679DAD6A66D0454D3CB85EA96D2D0FD7F93235F94F98350DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:55.159{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6C4D32BB4057A8F3F5FA0CC7FA84F3,SHA256=9899FA3F09864D73CDA03BB845451CDE51120FF715C7B57DA25CBA788FCD4F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:56.887{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45FCF1F0E81FDE4D9720F90641408F4,SHA256=A1EC4EFD575B06E6C97D80D06B90F3AE6992D8425BB1BD50A5A504AAE599D95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:56.285{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34169F27C9701CA1D22854E6F5484AB,SHA256=E3A7DC9588218986D5690143DFED4EEFC191BEB44CEE6A66602AF5460A35DA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:57.933{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DA338E760D34EAE45FA14B6C24F3734C,SHA256=AED0E878CEDE535A9F9D31E4E6A0E4972711848DAF8FC71CC0D5A6237E98714F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:57.483{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58F78F22F14185908197317B74BE163,SHA256=356E021046C1695E6E5B48C2A512B47C5BE5FCAACF84F405B9E05F5DE22CBE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:58.575{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDEB71CC15860963FC62A1ED5374BF3,SHA256=86068DF81BC445239026A1AF25DDBABAEA18266C32AB98177DCC56093E66A9D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:58.087{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B1A4AADAB43C04FD01BE4D5101E5E6,SHA256=3C1A9C58BCA5BC5D807B077EF27B7159B4D9D073CE250672106C82A0C525C3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:59.674{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60C8962E749834AAA439D67B677CDDA,SHA256=3C711B07027AFA2F2BA994FE7E93A64A036BA6A51F00ECDFA52A8F3EF63E2225,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:57.887{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59522-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:11:59.173{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD15A47DDAF7BB02DF5D1E4B76BABBB,SHA256=F0B288BB6D74827E2518AE895F7DDE89F01B0AC883650D3F361FC7AEC8D6CC95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:11:57.670{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49952-false10.0.1.12-8000- 23542300x800000000000000038947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:00.877{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B124FE3EBADCD8D76F71E8BEB350F9,SHA256=96BE7B7B6C4F7C5ACC73DE72EEBF60623212729347FCC6C622A941761629AEC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:00.996{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:00.670{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D073BF0A084F8912CBBEB04EA40902ED,SHA256=C0BF0CE0ED483A4E7B5C5C876301DE2DD2E5EBECBF39107D642A749528EA4DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:00.264{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51D52F583FBC62F34AB1A188D8D01F5,SHA256=A51DAE3362BD26C337C1241ED98A9437889FCD8F0612F25F49B4ECB50EC63488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:01.115{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:01.115{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:01.115{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.333{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794494A51666C2E3DE4DD499D3E08784,SHA256=F1D8FBDE0F23D5D4535A0DB94F3F195A0DBAD184BF202AA2AC5AF8F518F92D45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.244{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.236{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.232{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.231{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.228{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.190{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.179{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.172{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.145{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.130{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.118{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.109{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.101{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.086{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.057{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:01.001{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.468{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427ACF41F16964F505966E4CEE4D2456,SHA256=9174267E4C6E63127B407076DE28C6BAE548BD8325AA961E063E67F673A256D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:02.085{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB499AAA7059E692AB136AED74EB47,SHA256=AA16F8A20C1FBE6161CDE4B995E6CC7B468450911C2ABF1FFBE3DED8CC2D51EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.116{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.115{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.109{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.107{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.100{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.098{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.095{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:02.068{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1E172C83060EBE99F9835A89A4A6DC94,SHA256=5F075E5DBBE8141A663D851B503AD0C85A22422CB6ED4E14BE42679345A75BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:03.663{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F193071E1BE3778FF926FAF35A85027,SHA256=2A7970F44D732AD225B3D6BC88B4C3BF5AA40CF23C3DC894E7C2A28C4510D941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:03.170{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF7B47AB32D22A0CE5B5FF8835FAA50,SHA256=C633857688F607AB2AC5858CF58ECAF5AD0A530157E3B86FD37E93D32E71B05A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.774{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.773{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.767{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x8000000000000000101689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.756{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7558CF6EA9C80EBC66A937D084EF933,SHA256=44A2F808062B53DC38D0C6062B049C68796D1C1A5245AC251D31793D0A5B4CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.749{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.737{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.708{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.687{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.681{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.679{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.676{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.673{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.669{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.668{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.665{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 354300x800000000000000038983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:02.825{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49953-false10.0.1.12-8000- 10341000x800000000000000038982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.655{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.648{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.643{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.636{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.628{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.622{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.620{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.612{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.607{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.603{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.597{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.593{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.589{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.581{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.573{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.571{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.553{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.538{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.496{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.488{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.481{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.463{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.450{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.441{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.423{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000038957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.413{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000038956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.409{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000038955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.406{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000038954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.404{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x800000000000000038953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:04.262{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05A86132F0BD03E7720FC318A8E0A38,SHA256=6F5F0099DA95D292B53E12B83668A4A2758983CFA529E2A0FD454DFDF2F91FBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.156{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.155{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000101663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:04.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x800000000000000038984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:05.802{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3DF9CB909C51E550A9DAB22D1FE4A7,SHA256=0FDA10F58515EA21A716E5BA6D3652A9BB76FAC383791EC92CC7C2D8A6B75A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:05.844{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB18094AF4105CD73CD4421D58A94FA,SHA256=4B5AB2C359BB8D0C8E614E4C839CE8DFBA6A01EAB755206C3189726EA4A00449,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:03.836{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59523-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000038985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:06.912{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B0C2EBDF6DFC2068280795CBF7C737,SHA256=328297D0998813CC630BD321571D430CCBCD554ABD3D14DCFDA85EBE7396227E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:06.827{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08874939B4F596338FE4C11A78DA4604,SHA256=4AF681B112DE71123AB9D648C0FC4E65C4395CA802E54998BDFB48380DA8F9B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000038989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.818{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.818{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.817{3EE3745C-BE84-63BE-0B00-00000000A802}6322392C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:07.801{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.823{3EE3745C-BE84-63BE-0D00-00000000A802}7883900C:\Windows\system32\svchost.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000038990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.241{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5C97055EFF43F17E799055B02A351E,SHA256=4E6A84AB45C9A7D9C523CDC46B95916054908C4B33E46C7B68E697C612187F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.028{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF1FE8100CC986AEB1BC6AAA942D647,SHA256=52A3987A836838E72D413C3F4602F424F20206B4AA43DAFF3590D78E88D9B553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:09.452{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A9F14D9C79C20677535A9C6416CB0F,SHA256=D2E7A626006FCA3B85FFC31BF780ACE3627AE51914817C41228738A02F1EE3B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:09.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5CE63A2A48A352A945A43095E88CDF,SHA256=04E19561769D099AE4DFDD64511644AC3D271A48AEBD04E77B8A8C4770FDE740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000038992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:09.248{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000038996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.840{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49955-false10.0.1.12-8089- 354300x800000000000000038995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:08.684{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49954-false10.0.1.12-8000- 23542300x800000000000000038994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:10.770{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BDDD516B278C9F1DD040D858B9E5CD,SHA256=D074ED6375C8694EE6424E14E4B9BBDF093538709F24F34BAEB3F996E0936216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.634{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local61557- 354300x8000000000000000101699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.633{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local61380- 23542300x8000000000000000101698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:10.244{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DD661D54EA15235341B0845FC3BEF4,SHA256=79CAF3610C31AC6CAFBEACD623F8CB3343EFF8BFFE15FF95531593D2EE161C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.982{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=29B94C0C3EB397AD9484EEA2F7FE7BF5,SHA256=435CE66B097F701989A1C838368CE14F60B48AA64FA7C11287D3B6C1BC9EF329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.903{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D1488D055482B736305B947550F12B,SHA256=587B02E752C1CC0529865434CF3A2650772DF855AE4CD61F4A6E7AC270264889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.783{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=75EC090BC985669A2A43ED93A5729398,SHA256=02817F49162C23FD0A5DC0E38972FD364512FD9F6601BA9D005D0474D57EB377,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:08.929{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59524-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:11.343{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B61C4EF9FA431BEE96F5BE32B41FCBD,SHA256=6C13860E1082E5CC55ACE0B548FADBC4CC8FB46268D2297E3585E246696F2FC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.704{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.705{3EE3745C-C3BB-63BE-3601-00000000A802}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.236{3EE3745C-C3BB-63BE-3501-00000000A802}27203692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000038998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.032{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000038997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:11.033{3EE3745C-C3BB-63BE-3501-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.976{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6390726FA1910866CA83D1BDE81F5062,SHA256=C5706241F8A9F99DBE656420F10F42F841F929E8245129BCCA36DB0304A017C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:12.456{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CBEDB0539BE1B58F7537F870E7C7E2,SHA256=8FDD7DE3A802A85EA9159937F250F1ED36DDECDAE0690578F22520B1ACE62431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.370{3EE3745C-C3BC-63BE-3701-00000000A802}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:12.120{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=868117D57C57C5D91AC3FE761D6B1C99,SHA256=74C19E6A66EAC7135DB2C20EF3BAB485AB73ECDC098DFCEA0900EA8887640D5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.985{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.984{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.983{3EE3745C-C3BD-63BE-3801-00000000A802}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:13.559{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943E054A722D4A1627113E8144D378C5,SHA256=E37E9DE79FA013EE239FECEC250DEBE52B3EBF4E0134ECAB3D0BA6875AD16952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:14.652{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BAA122989ADD523D66E2AD10CB967E,SHA256=94029B6A9C07E8DE07D823BBB984CCA245879192005035AFE9C81DEF2B7497C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.837{3EE3745C-C3BE-63BE-3901-00000000A802}920936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.649{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.650{3EE3745C-C3BE-63BE-3901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.196{3EE3745C-C3BD-63BE-3801-00000000A802}10121852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:14.053{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478B4FC874E5797A4DFED1BB4075A850,SHA256=BA788D6E7338ABA781F0848131A278DA99720A56970E699142A6D7DB0933AC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:15.914{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:15.751{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3550191F7CC5D95634A03E1A864E89,SHA256=858211958289F5FFACD25E8076B7744D065E3A1EADACB5ED4388DC49A5B50517,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.407{3EE3745C-C3BF-63BE-3A01-00000000A802}16361084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.219{3EE3745C-C3BF-63BE-3A01-00000000A802}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:15.216{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FDF165834C6DDB37BC2E4E4685D58B,SHA256=310BF9A9092DE2A752E232F92B5513CD7D5B186EC8526AC9C155DC5A60789FCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.656{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.657{3EE3745C-C3C0-63BE-3B01-00000000A802}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:16.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D59B20771958418E1EB6E543C7F4001,SHA256=A1287ECCC122977FE712541F01D8E9C97A2E087BDE8CB11BC04A29FDA7B5E345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:16.858{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4218568EFE6478BB89AEBB6F144BC1CF,SHA256=905038BADDEA1E637A41F8B1E3A2436B3E9D465CD475D732203461CDAE9D4732,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:13.986{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59525-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:13.819{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49956-false10.0.1.12-8000- 23542300x8000000000000000101711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:17.966{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3DE3AF1EDC30676F302A29D98E26CD,SHA256=7280D06A8EE7685EAF2B7BCF143010824B37A14EF8EE2D2D85ED9DC1884DE4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:17.754{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE322CD1670065861EB4B7B1F0C617F9,SHA256=FFFD0B819009ABC896BD0E02CF4E552F213591251D997FC8328B011E53C799F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:17.534{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E30C80F1D8CDE3550B2CE6E9CED639,SHA256=2243533E3B3BBE526C3225060F37FD5B0AE19F3B8A87F6A96AB4748E767B68E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:15.707{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59526-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000039103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:18.731{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A09DCE3900F34866FE1FD79DAF1FA75,SHA256=B80C8216D302CE67041A586B60D3AD342231142381DA0771083D02FEFACD4962,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.939{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.612{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.612{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:18.612{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:19.827{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FADB6578D963FAC7C853AEFD0683E1,SHA256=95C76D56C196316E563010DE734273A52B766C170EDC8EBD3A3AA67D6837C460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:19.162{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3737CFC9EDF19D5A60D27EB0F727B89B,SHA256=F53385C77701556C6E7C3E1B957D53B94212EC573272B8927A5B499E291BD96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:20.255{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E2EA4E09CC14BADCCD0D32ACF87DBF,SHA256=BFF851D5C2A6CAF26D5E4BD179E9D13798B1EB308EF6DE830F4FBEF812A7F68C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.890{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.888{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.879{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.876{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.869{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.859{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.855{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.407{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D51C8D90B5558E2B88D15A094A2CE6,SHA256=73DEF97CBB5728E1388F789040EE85DE3C424126006A55980C3349D560BBF347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.301{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000039106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:18.840{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49957-false10.0.1.12-8000- 23542300x800000000000000039105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:21.038{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D51DAE39A421C8A1866BC6E190A8D5F,SHA256=4B01EC380F6A38FD1935683067DDD3F9642BA645DAD2697EE3A32D60ABC55E59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.285{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.275{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.270{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.267{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.260{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.216{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.208{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.199{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.181{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.155{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.143{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.124{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.111{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.096{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.086{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.013{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:21.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:22.357{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A4B45C2E20D404391943A6210F4D39,SHA256=29393406E024B596E893992DEAFC246B462660D0513090406F61D7EB82531B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:22.131{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF4DB12EA8E9B5B2B2DAA9EE30AFA3C,SHA256=92C0FA606E761EF5F63A9BE40919DE8311141C65CC230C0B4D3892CFB8B939EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:19.972{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59527-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.928{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.927{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.926{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:23.461{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F070E3F8D0AA1EF15D08D3FF93542EF,SHA256=BDE14B867DFCA1BFD7598092BC57268EEECFE2FF49E9FE85647B95D9E23165EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:23.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5166CE5AC6A20F15D6D1D70C1F39BE,SHA256=ABEB3ECA541E20D6F4C06ACB03D72291E937E8E5AB29F862DDC88D11A333C094,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.618{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.611{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.607{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.586{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.573{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000101761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.547{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B91B5ABAA233D9606D4F1438697C8FF,SHA256=A14A85F17F603B2B912D82BF29B31DC34538E38B22AEF4664B9707DE2904D543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.497{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.479{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.468{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.466{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.627{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.625{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.619{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.614{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.612{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.609{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.608{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.605{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.603{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.599{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.589{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.583{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.580{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.571{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.560{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.556{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.536{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.524{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.489{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.478{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.471{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.459{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.452{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.444{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 23542300x800000000000000039114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.436{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8003E7F789161488F77B94BB63203132,SHA256=309C42E48412A60350304DD3082954933911240A7C59162855C8B9190F3E9ECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.434{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.420{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.412{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.402{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000039109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.395{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x8000000000000000101755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.458{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.451{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.446{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.445{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000101751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:24.442{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000039139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:25.826{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBBCEA8D7BC43D69EA450AF77C97145,SHA256=CF13CC3FE3D293536E613E736BB536AC3859ADDD9101676E809B0407B9F12E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:25.539{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0FF75ED26DBE3642E9A024F55A6DD4,SHA256=0720CC76E59114135CF0AFE118EF2B9F593225137F8F4EB242624E8A71B8B52D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:26.977{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D723A869104D821F74EA1F1CCD36E8A,SHA256=D2324B903852FB154E2F2FDB760C2D4051840814B158770E7B4C48ECEE6F9A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:26.634{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A979CF42C280A1940A415835D4E4C2,SHA256=DB13750A759DE1371D48E517D4AA13F17618F8313F9DD729C157E4F45CF4CE9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:24.634{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49958-false10.0.1.12-8000- 23542300x8000000000000000101770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:27.747{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6023C764F4A3B14F332486FB824A53D8,SHA256=5DF1A70772693F59254BC0043A3777498E595ABED5A17858F8DADAC7081B46A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:25.911{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59528-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:28.839{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4715FF679E8080700207A04EDCEF63A9,SHA256=3219D0EF1FDC975C1667F1B8300FF9F752EBDDE50FFF2A5E2DCC21EBAA9FB1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:28.049{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A2B883E7E0DAA54306B3160A5E8245,SHA256=A4BC077896244BB02DF0E9C9DB623EC3C1BE7DBC1CD04C249B0A1F7D1CFB60BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.951{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4DBC3632D8E7FBB5016D6CDBE5948A,SHA256=7E46257478E0BA951162E8B8E99E76E5520377FDE6DD4E430FD44EB0B0FB5846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:29.150{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F047B1D956191BF7C19B6C9E83AF4F,SHA256=8485CB27281AAC2FBA84927E87E67E4539CCBB834C125B878163698096AA09B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.137{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.135{7DAC9CB3-C3CD-63BE-9301-00000000A702}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:30.241{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E1558D92D17ECB34113924C2B261EB,SHA256=C9FE2EE77C461409ECDB005FBC8A8F3C088F5476650B3227119434455F4191C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.950{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.951{7DAC9CB3-C3CE-63BE-9401-00000000A702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.231{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0DC268CEE8992F0019942FA02DD741A,SHA256=4917EFE5485C1B7AB92ACE613B145BA2AC0D4B6D393B73905195AA9B12B08A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:30.163{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CD8DA6943675BAA7A94884FEFC638E46,SHA256=B8380D7806E4C582EFCEF7F4223C86BF510963235085D47D3A500E1DE7EA36B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:29.768{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49959-false10.0.1.12-8000- 23542300x800000000000000039145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:31.440{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF0E2EBF9ECD99DDAB25E55534ADC61,SHA256=6ADE2DDBB8ECC1FA36B39369C0B8927CA0D0A5E2530EDAC52458625CA26964DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.621{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.622{7DAC9CB3-C3CF-63BE-9501-00000000A702}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.727{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59529-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000101794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:29.727{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59529-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 10341000x8000000000000000101793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.126{7DAC9CB3-C3CE-63BE-9401-00000000A702}50525940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.044{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=13522048C8CA73E0D9CE3991D628615E,SHA256=3D735BA93D7809E31831FEA34D146F2C2786F3A63B059F74044E3FF964DCB303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.028{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A53E81FD3726CE67F1CE0A1366684E,SHA256=83B9204C7E86CE7D32D2602B2C168E791739CDED372669B981733164D48C70FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:32.533{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-021MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:32.513{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9C31F8FB66F077F0328A5CE913C241,SHA256=90B709DC06627720C5B3019360067B1B6D8C6B867B07EA8CD189F6B5533ADF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:32.125{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFB7033ADF9AB230350E822B4A2E45F,SHA256=FA242DA0B278E92861F6C327D7F4AD639112DF63D517BF360DCAC7B6A1AB9A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:33.617{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF34A718F5824B442B46EEA1BA21CC68,SHA256=782CE415F7234ED7BB4243EB5F68A24BBE73BF4B09872396F0241C5ACB3541D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:33.539{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.428{7DAC9CB3-C3D1-63BE-9601-00000000A702}3926324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000101814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:31.917{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59530-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.202{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F60B2EB6DFB7CF679053A2E373A69BD,SHA256=75F8F41A654A342B8BD3A588166BC0F0DAFCB895F46A5819C1C37454798838FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.199{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.196{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.195{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:33.194{7DAC9CB3-C3D1-63BE-9601-00000000A702}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:34.597{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F82E517692A4C82124317499779F03F,SHA256=A15473D3010D894CE6D06C2D7D9EDE57F2E036C7A21674A71A22E9122DE7BFB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.943{7DAC9CB3-C3D2-63BE-9801-00000000A702}55924332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.704{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.705{7DAC9CB3-C3D2-63BE-9801-00000000A702}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000101831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.407{7DAC9CB3-C3D2-63BE-9701-00000000A702}54845944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.346{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.346{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.346{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.345{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.344{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000101825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.344{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000101824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.299{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964D0413EF19C4602409242A29A1CBF4,SHA256=0AD547E8D0C0C4EF9D1523890D54D745E15397BA6B1CFDBF420AD89C853DE28A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:34.182{7DAC9CB3-C3D2-63BE-9701-00000000A702}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:35.794{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2257A62141FA96727BAE5B00384286B8,SHA256=08E2311352E3EC41E730E601C162355B9296BA109334D46D498A99F82951FD06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:35.785{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7033E525B6BF367FA66ADFA851E0CF5,SHA256=F3710F00B64956DCD558AF4EE72FB01BD0F55759D0EFFED42616B2A9BC1D7344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:35.407{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E372CB42BCB6B459B5BEC2F3F441C68E,SHA256=803D946F47752C476C41994856CEF75EAE9A6E89898A84D52F437EDA3C9F3272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:36.901{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5CBC2E046AC4690ACE2A0534C18DC5,SHA256=64F41ADE6DB5575A88872B9012D56A3988A4A2BC0B2E74E01C3931C02844FF2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.653{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.654{7DAC9CB3-C3D4-63BE-9901-00000000A702}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.512{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1667CD8DFF439ECC49CDA55897E44E,SHA256=7D7E403577AB26DFC4EBFE427464B7D9C4C98F2664D55F3F2D849845A30CBC67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:37.606{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5189EEC86EF6462980C07F99E8DDCB9A,SHA256=79233801E93A6AD1490B74B77895317BE3631ABFB17EF75EF041BE721DE16410,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:35.670{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49960-false10.0.1.12-8000- 10341000x8000000000000000101888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.934{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:38.712{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78BA575EFD93436B151B9E6BCE42AB4,SHA256=06CFE7BC1C5DC0AF8C38A9155CCDB6F02D0F9DA6717A6B6B838D64800FACAC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:38.207{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCBF9F2452E431AE037897EB9D9000C,SHA256=873518E5C3AFB8D17CEC4A57B6509C053E943FBB5D023BBDA350BE330A4276F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:39.394{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22088680EFCA16C339154157DB628A16,SHA256=A1D102541C4975829F3A9A3BC4209B28778A9CE4D44886A4375AEBB999FBFC9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:36.999{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59531-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:40.489{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5236F90541186993260436CD7E3D392,SHA256=989A754ABD282EA8D705EA19A4CDB0B28078A181B53485887718BDA53A824D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:40.295{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5125E2E7A56D3812CEF9C16416E44580,SHA256=8731613C78C54CF6A1AEC7EBCAB1E1F0323C1782FC90274CE9673251F35AF81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:41.589{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4354010CE7682E97DA42BFBF74F02CB6,SHA256=970B9B35716B70972F7B3680C79B4A4D352C5B7A2D789F648E49698EAD7E5623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.956{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.955{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.948{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.945{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.933{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.930{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.926{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000101910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.472{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01598E6816AC5B11A6B9F2A9A41BA642,SHA256=6B16703137639E5605BE5D13047C3EC34D54483DF51CB3AFF03DAAD7335DB268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.304{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.290{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.278{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.270{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.268{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.264{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.218{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.213{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.208{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.193{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.175{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.156{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.145{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.131{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.120{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.110{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.100{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.032{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000101891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:41.029{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000039160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:42.693{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B55D50323617DBE5D84B5D82B33931,SHA256=9894B0780F8CF5010C67E97081BA7BC488F24D4E0BFB25C01D1CBD00F2844B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:42.536{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FB120B9F3819E8729155E89AFB4428,SHA256=DEE0EE253E376A645B41E0DDC06011922C21D20F0F6BC937AF825B32A5ECE7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:42.093{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=62F1104304AC813BF51B1413A33662E8,SHA256=F7FA5064EBCE52D9BEE33EC2DCA7E0DF655E49B1D25F1AACBD8D362151FB8FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:41.651{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49961-false10.0.1.12-8000- 23542300x800000000000000039161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:43.890{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DE10C91EB79260E63709F292910174,SHA256=FDBD0BED08D40E372CFF35AD057FA723E69E51C4D7F98BDBE1941752989F3F08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.998{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.997{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000101919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.643{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925F48CA71E3388597043F3C9526773D,SHA256=DDD1D201AA64F4D7B12BB1D1D74BE2CCE5931517017D6B29A1437EA67EBF3A67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.993{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.728{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886EC6D86A18C1ACCAC8755116B6686C,SHA256=842C68FDCC545EF36D60A32B83019E7A464D489D2AA175DF24A88902FE59DCA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:42.848{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59532-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.681{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.677{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.674{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.672{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.670{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.667{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.665{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.662{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.660{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.654{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.646{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.641{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.638{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.626{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.611{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.607{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.588{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.575{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.524{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.514{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.498{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.483{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.468{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.461{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.447{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.436{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.419{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.410{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:44.406{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x8000000000000000101937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.618{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.614{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.611{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.598{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.584{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.549{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.540{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.531{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.525{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.523{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.519{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.516{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.511{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:44.509{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000101922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:43.999{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000039192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:45.286{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E80B522A85A39060CF711061E9EB834,SHA256=07F4096264B208FF9FBB7FC6259EDA31DC4327BB35B043F4FC311FA970F5D0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:45.707{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915F3E9DBD8ECBCC17A28E154BBDF088,SHA256=63394C324ABF2DEBB3EC8E06AF117334F9782B252A93AF93C62A1264BAC3AEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:46.814{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DA5458C3C05AF83B28ACC6EB2505C8,SHA256=A1E5291228796984E74C89BC81655C6927BA1FB07049DEE19AF5FE90B804C5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:46.369{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EB7E2600CBB6F3FC18BD5C5F338710,SHA256=0FA7A2832E598DCD7A090A1E3AE2D599F94E642856730259AC538D183F1B2E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:47.467{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B85EA3106B9F6AF7E169E6201B3F161,SHA256=AB95751C8869EC7C287A232466D4EDF87DB8106D7B988D5A9C2AE9620F96B6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:47.907{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E2908A308E17E85B64BF62652DC34E,SHA256=4744469164103DA75540D6E627B20BCE8AD3A494B6D0254F19AE51FAAE3D7052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:48.673{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB367121EF2BB1585D47C3C7526406FB,SHA256=9F68840AA5A00CD5C58B760FD8477C014FAF8F5A69F78205FFE82EE77377D99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:48.997{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC596155B9F516289D13AA87826830CE,SHA256=9333BE06AF23DB9E7982DFD5632BF4CC3F6D6BB7FABD943CFA6845659A57E767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:49.757{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B442D91824015BA210EB676EAA039E,SHA256=4C9AB01F90548156774746C201452F968F4578647194321C2982A42BED55A9D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:46.805{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49962-false10.0.1.12-8000- 23542300x8000000000000000101945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:49.974{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-021MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:50.857{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2037854931FC5092FE7D891B903C94,SHA256=41EBA4FB233F7B782D49FE5D5E2FE70135C2082EC27ECA89375646764CD58DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:50.979{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:48.855{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59533-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:50.074{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E76D52E609ACED02DD66B5479A99FAF,SHA256=9CCC02791C823C5F2EABC99BA8464F208A9707BE22599E83E144C76E42C6D103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:51.960{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C80A1B24A8F3DF76EDB966C18EC7D3,SHA256=0DDE2424EA70BC96AC40EFD42C9E80D1E8C61DEE25886EEF038AB8FB06198EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:51.162{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1822D2A6B3D6C5CE84BFA86297F255D,SHA256=95C31A7C8353C1F24AD1AED3B2A33DD0B4775534E51523ACC2D4A4C13F76D65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:52.380{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C88DCE6054774B2EA79F31E72A23123,SHA256=67E6E0CC3AAC7EA041D2201A16E936121DA493182C2045F646C6EA3C6526B6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:53.464{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C38170BE6BD35E6D12F64370731AC3,SHA256=DC6C242E11389FAA54561B2E4A1A83456968AE39E877A201A92036028350B3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:53.063{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5148A33F6108EB089E4E1F08965291C,SHA256=F76E20516470C1BEB671A1415BF34FFD6E9E6C15C0536BCEAEF6CFEC47D8581E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:54.668{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3EAEEF4D3861B776DDA9BAA0A1B9DB,SHA256=12931B242959E2F965536538923A2CC28928930479FE653E310DA634EC60BD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:54.261{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEB5AECC2A9C467FD0F377AA5FF563D,SHA256=F6D77F5301C4E68384C88F195BFA287172D81BAE47856958179A7D5BD96E53B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:53.981{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59534-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:55.778{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F526DBE7C22F132FF80A2E27E1F4C73F,SHA256=4B53781444AD72267814B322A332BCC5A15FABACEC66AEF61A0D77724DF26884,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:52.667{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49963-false10.0.1.12-8000- 23542300x800000000000000039202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:55.470{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007957B401D2AC4CF0C486566FE4B2EA,SHA256=6FD984095483694328DEAF07CC3500764EBC0DB9557D89B904E883F9AE9C494D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:56.781{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C30DBC2F729B70200B74248F6081DE9,SHA256=D2B84001E398315B034A174D6A21712EB8FFA446BD97C9CF2FEF682F780AC82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:56.873{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933415D58DC952554D9FA2E16F4310C3,SHA256=F51CEAD83C7E1D8B692376E45690526696B05713AD0D0FBCACFA6D462122679F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:57.990{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A01D6BFAD4627FCFBDBAB4737615D6,SHA256=5AF57E3617E3B427C8F4DE2277E58C723856A987424529292AF69443173F7602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:57.940{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EBFAB28FE922F24CF7F42DCEFA6B39D7,SHA256=0BED1B3F2E9D537B90C0DF7AE57DE5342949CB292FF2CF829A6D4582558D4D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:57.960{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3DD02BA9013BF7A0176434FAE2A09F,SHA256=5B49A0EC2A6290425BDB098E741396DC692C6FB14E2C01697357DA9395DDC7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:59.060{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDBE1CD86A402A2BE810A8F4FDBC18C,SHA256=EC99FB86AD53F84B3603D0C6C9274831F439267FFD16F27046738667D0C2A020,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000039217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000039216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001523cd) 13241300x800000000000000039215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925be-0x6cb89372) 13241300x800000000000000039214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c6-0xce7cfb72) 13241300x800000000000000039213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0x30416372) 13241300x800000000000000039212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000039211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001523cd) 13241300x800000000000000039210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925be-0x6cb89372) 13241300x800000000000000039209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c6-0xce7cfb72) 13241300x800000000000000039208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:12:59.108{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0x30416372) 23542300x800000000000000039207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:59.077{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109D48664FA8287870279A9B90A28F11,SHA256=CEA4B6AD741C6CC6896594D9E9263884111295B534F36F6577CEBE037112B04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:00.377{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A4B664C731F9BAFEEF1F56765E1AD6,SHA256=CCEEB3D3342B8956D8489CD167D0DF92A7FE19C7E25AD8FA18B55753CA540A96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:12:58.612{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49964-false10.0.1.12-8000- 23542300x800000000000000039218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:00.280{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17F605ACBA6DDAB7B50B0C278144D42,SHA256=CCAD4B610E8D5539D7A42EA77F2D43FF04BA4EB6B14E545D3207C2926E8173AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.813{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.811{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.799{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.790{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.786{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.782{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000101980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.439{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8274BF55FB897516B3AE521E0FEC6171,SHA256=1A144AB2E99287B15BEA069FDC21C2DFE53CDBC0013E381111B226F76172DC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:01.391{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B210B9EF056E45313FDE813A2B79ED95,SHA256=76CD343D700246CA928951D600392D56BF4418BDC3983D6A5A69D3123FDE6DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.303{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5130E7B6A4DF4411E9C5FD0A6B569F90,SHA256=15447CAF8285BB427A88C8F0D8ED1DB2342EE7A3851C133E7021A4B05724BC2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.240{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.231{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.226{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.179{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.166{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.149{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.127{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.116{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.104{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.095{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.080{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.070{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.059{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x8000000000000000101961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:12:59.060{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59535-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:01.003{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000101989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:02.509{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D41F2BBE9E31BD6AC222EB875D9DD7D,SHA256=222D21920FA582B763A6B7DA10B7DEF3307BBB9816D1041DE79FF20B96CBC6F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:02.496{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059D18BA1D7B60F1B6E7F955BC0188AB,SHA256=B057074DD259BF4E7E249A54F32F64AFC837A4901D50BC99B86B16BCE0CDF1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:02.083{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=591C8DCA7C63D0D29FD0E2F9ABE4086B,SHA256=13797C67430942033DEE91242686C0CD1956E8646213A83B1C9D2A8A5B6207CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:03.587{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33B0D0F2C73D0160A6C84376BAD2C61,SHA256=CE7B804D158385A03FDEF7A657381D71E91FEC25782A7E65A01D81C0CB066AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:03.842{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:03.841{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:03.839{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000101990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:03.605{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC1A59AE7DA5E3CB60C940532A3C4E0,SHA256=452A6C140FDCF70691AFC2143615DFEA2EBB710DCC2A1FD5A0AE3098A890B6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.660{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24018D0509A69F03D81088D280E85D55,SHA256=5D67F2EB48531B849EADB1BB0E11F0F39B3DC8980876892BF9C7EE56C48C33CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.606{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.603{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.600{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.597{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.596{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.594{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.592{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.591{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 23542300x8000000000000000102009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.670{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5CFFFFEAE5545C59F0ACF203CE0AB9,SHA256=3B9C09AB854BBAE18E9992F4109A5068B7EFF599B63946AB0F8FFA1CD70BF84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.589{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.585{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.579{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.575{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.572{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.561{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.550{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.545{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.532{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.525{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.506{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.499{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.490{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.478{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.471{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.457{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.446{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000039226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.439{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000039225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.433{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.427{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000039223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:04.419{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x8000000000000000102008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.490{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C296-63BE-6E01-00000000A702}6532C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.488{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.485{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.467{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.450{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.409{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.397{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.385{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.378{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.376{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.361{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.358{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.355{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.354{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000101994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.351{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000039253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:05.746{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCFA1DCDC29EE81ACD5D27D039BDB24,SHA256=AA02BB252D6F04EC8F2E263CCB7EC1F819754A9B0D78477C70FD4F733A5BE8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:05.760{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD648F8C0E41205A6E3311ABC6E0EF1F,SHA256=41F6BBCE5E6C486349FA35E1E9023022EEE72DC7493552E01B7080D73A8414A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:03.793{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49965-false10.0.1.12-8000- 23542300x800000000000000039254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:06.852{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6C61143675BDBFFDE66778D539C1EC,SHA256=6D0BDAB1B5CEBD355A9F62DEA771B3EDB7C8CC3D3702BBF17573C0C56BB43F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:06.859{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75BA27F3FE1DF36F7D1029460940C18,SHA256=BB6B07DA88C4200DE7E2AC13C92289D33C1FB873B009C73AFAC4A34672203753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:07.933{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3071F9BD25BCDB114F1F3007978443,SHA256=3B68F0D687BE95D612CE4CCF5252473CF2437FB7E4593E10E597DF0160BBCD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:07.964{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B05FEA20BD247046EE2F3AD29F40BE3,SHA256=85D19CCFF7C2CC8DCE2D4E3A010923AB04DD121E5045617FA32EEFA78C889D9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:07.820{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:07.820{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:07.820{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:07.806{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:04.928{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59536-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:09.282{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:09.030{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8B8F350CDEC7DFB24F3098103A671F,SHA256=8F7CC2BB36AC6DBE3AC8F1F6E8327EB0327253308751D4B720E5A641C09347F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:09.054{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3545063AC467057AF14502E6906ED09D,SHA256=AC472031F1B8F30585526C45077C3F8305666F759E77014BB9F2DB03246F59A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:10.231{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D79379B7083E55667E9B191A43E1B8,SHA256=F0C7C53E95F3FD0A398A0010CF969F54D5BEC27830D2AC8AAC9CE47BA221B053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:10.267{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE28C608CBB28C448F67A84E0E0573E1,SHA256=AA08DBDC037448D0CE9EB4611D350FDCF39852CFB309360F8FA996AC30454588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:11.363{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3764E4280C14B0885BF8B7302570E790,SHA256=A101DCE941564191370E5AABBA0A51CC4A5C9332E4888D93DE79B22D74730538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.881{3EE3745C-C3F7-63BE-3D01-00000000A802}19041836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3F7-63BE-3D01-00000000A802}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3F7-63BE-3D01-00000000A802}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.694{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3F7-63BE-3D01-00000000A802}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.695{3EE3745C-C3F7-63BE-3D01-00000000A802}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.319{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F95A75F7456A1223E4E8E90115E251,SHA256=0D05CF97DFC1AD38A1B35F81ED2D34EC638E7F23E7E68A8DEDB03BF505D17004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.194{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=643CC189BE95C096951A016E89F1DAD2,SHA256=0F9A0347FFFE86B5B303B62EF34114B9AA9D1A93BB5130E535EC74D07A3A7DE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.100{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.100{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.100{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 354300x800000000000000039277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:08.868{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49966-false10.0.1.12-8089- 10341000x800000000000000039276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:11.035{3EE3745C-C3F7-63BE-3C01-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:12.581{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974F7F87BA0C08716F1441AF219294E1,SHA256=212B8986CC97898E0136C86ECB9CE8CF9BEA0FD1F3CC745C6C12E6216CAC86A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.416{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7965557C122080B4A6A25DB914334C77,SHA256=4CCDDAF1CC235492DE6F4E655E6C051842605AE2C70583A3C2372A65A043F341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3F8-63BE-3E01-00000000A802}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3F8-63BE-3E01-00000000A802}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.369{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3F8-63BE-3E01-00000000A802}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.370{3EE3745C-C3F8-63BE-3E01-00000000A802}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:10.072{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54201- 354300x8000000000000000102017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:10.071{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A64349- 23542300x800000000000000039299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.260{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D6277883ED7CE49B24EF811ABDB18A27,SHA256=A78FD61E749EF942E7692BFC19015E7C3CD26C3EB7E8AE911A3364CBC4795E0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:09.663{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49967-false10.0.1.12-8000- 23542300x800000000000000039297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:12.072{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61B9BB3780B2C5E228FC07811B1B8025,SHA256=01F36CF52E4CDBD84E0E8B25FC18F71A70043EA8F3BD71F92738AA0FC3D86294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:13.673{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FD4195492F307B09EC7DF087BD88E1,SHA256=C046D006844E8FDB07F78A0CA0FD871CB3A0FCE1B6DE7F9B8803ADF5A09B74D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3F9-63BE-3F01-00000000A802}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.989{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.989{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.989{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C3F9-63BE-3F01-00000000A802}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.989{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3F9-63BE-3F01-00000000A802}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.990{3EE3745C-C3F9-63BE-3F01-00000000A802}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:13.378{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E779866486B6BCD60E692F50FF4E847,SHA256=A9FC71FE8A501455F9BBD16CA5ED82415ACDD3D24D02BD0FE09467C6954E805D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:13:13.150{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c6-0xd76354ce) 354300x8000000000000000102020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:10.945{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59537-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:14.756{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96478E1558425AB72F2267E8403A6775,SHA256=9590DC571F4FC187ACB0FADB0B9568BB27651D35058266F32CABEC19B294C627,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.914{3EE3745C-C3FA-63BE-4001-00000000A802}38043164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3FA-63BE-4001-00000000A802}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3FA-63BE-4001-00000000A802}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.664{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3FA-63BE-4001-00000000A802}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.665{3EE3745C-C3FA-63BE-4001-00000000A802}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.570{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC14E2BBC0C5B85C1FC5EE94B16FC19,SHA256=2D5678AE3D14A3A59E0F809D4450CA0AC555D51E6749E557EB4D61149CD43EF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.241{3EE3745C-C3F9-63BE-3F01-00000000A802}37483392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.965{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC804AF09CE46CA5450307881B2B68E9,SHA256=39A96E7A4107F7336B64416F641880746C029E2985527A418AF7371A598FF8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:15.933{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:15.851{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5432063DC93852F68A113A1A75D526,SHA256=AC5BD454E51B22234F2E91221042ACBAE12DD3FCB12229E23FE8F78CE55FC36B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.526{3EE3745C-C3FB-63BE-4101-00000000A802}29002492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3FB-63BE-4101-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3FB-63BE-4101-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.335{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3FB-63BE-4101-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:15.336{3EE3745C-C3FB-63BE-4101-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:16.962{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A633BBCCCC43052848840E58B12173B9,SHA256=639A4072C5CB153CFA52F392AF5F2A866D0341AB31EDC39DE2717BEF25E83CA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C3FC-63BE-4201-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C3FC-63BE-4201-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.584{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C3FC-63BE-4201-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:16.585{3EE3745C-C3FC-63BE-4201-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:17.617{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F0CC2989AC8FEB7F1EE2088BA81E60B,SHA256=D93EDA4D90B053519975FF9F6724B86C6F6202E78789E3FD4DF5DC076EC84B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:17.294{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD90C6AE22E5FC69BD7B9E045CEBB1EE,SHA256=41C66C1D74570E335459B08A02FD02C0360733AD2F4B5954BB3AF4F5E6080142,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:14.801{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49968-false10.0.1.12-8000- 354300x8000000000000000102027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:15.726{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59538-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000039375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:18.395{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD992F6BBF03578932B330DB6819F56,SHA256=49A74B9FC106D41630A0104935A79668ECE6015D4B309AED69E8E7B6A4804860,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:16.028{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59539-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:18.062{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EA0B7F6B63C9209B16A6EED0E05EAC,SHA256=75E918E05B66B41ECDBE6ECE31BFC570782C89B02BF2FFE68438EDCB7C20B7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:19.484{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391687A49C4E41FCF5441D738287F4F4,SHA256=B7D04742C1132518A8359BCBAD5CA0A731292AE59FC5AE70A49075A0D4E71984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:19.270{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1EF20523D166417A37989B4EBD4510,SHA256=465ED2FAFB9A172245C5D14F6F0B0F2DB4C90E2976B4E78443DD656FDF2686DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:20.993{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:20.987{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:20.376{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF43D5E277955DDA92E31ED4DEEA880,SHA256=8B7A5AFBAA36A69DC6847AB7A13EA608D1036371D00159A70A2F61CEB9F9AA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:20.584{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BF60C9F40730813A364AC398AB43AB,SHA256=84FFF9E935476E1458FAD528CB55262825A965755AA17D14CB86B8EA64517FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:21.685{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26912923E288592161A7317D089B0539,SHA256=5332B66B74D4D6F997590DF1DBFB5A5DF8B8F19A819C6DB4DD6F10EDD2411B87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.856{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.854{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.850{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.848{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.842{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.840{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.836{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.450{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DA95AF4E0B7BF4C3319C303739F80E,SHA256=A818D4E65690C7C951C224C7BD39A9A5EF560A696AA15EB0B57E8AAB645D6609,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.229{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.217{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.211{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.208{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.206{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.204{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.153{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.147{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.140{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.128{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.115{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.106{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.096{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.067{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.052{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.042{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000039379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:22.880{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FF04E5B8FBD1FF167CC9810FB36410,SHA256=EA08345351CB01E644AF58B61A4013DBF649D0014AF8901F3A77EF23A9D3ADF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:22.713{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E1BFED853E28E19E1459FBF8D05FCB,SHA256=3E8445237378192E3105F9EACD342E0952D6918644BCC8BA38E96BB3A7F47C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:23.889{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:23.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:23.886{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:23.823{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8028C3D1EB2EFE63E5EB3CBC5B46E954,SHA256=0D1D7AD319EAC30DB1154AC5E73BA563DFFCAC3BAA58FF00177D768490B716F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:20.814{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49969-false10.0.1.12-8000- 354300x8000000000000000102060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:21.906{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59540-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.908{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E904BE7C63A84084EE57478B1CEBE022,SHA256=6ABA65E623B6553FF1CF9B6DC91132A0FC203728C723931EDF562695C2CAD0B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.657{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.654{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.652{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.648{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.647{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.645{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.644{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.640{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.634{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.628{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.616{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.612{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.608{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.595{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.586{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.582{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.553{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.541{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.503{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.493{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.479{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.464{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.454{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.448{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.439{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.429{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.420{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.409{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.404{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 23542300x800000000000000039381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:24.095{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB70FF2CEDC10A4BE7C71A0922618CC6,SHA256=71FDC55628F3741B0FD448F930869669117ACCA894EB1FA0BD39315EDB46140C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.538{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.534{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.498{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.445{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.432{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.420{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.414{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.411{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.407{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.403{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.400{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.399{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:24.396{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000039411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:25.483{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365953B17704F0B292DDB2946466C9B3,SHA256=B2327AD2455EEF42CDC8D382A5C457F6DFC77057F092D6AA74973435C5A7B5E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:26.580{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D760F78D64A6370E869B36B34680D3B2,SHA256=760CCDE1814AF58037ACEC98356459E437AACAE5FF8778C67A9DC147FC41BB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:26.011{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380B1A6DB0051E6F37FF08829472F11D,SHA256=0BF13F0FD2D4979920EDE138774270093E649361CB83BE9CBC93E9D5A838DA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:27.691{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F7F4BF3730730657EB94EF23079136,SHA256=77AB1203D282ECD41A100DA816E4434C09BE4218410B1D06FABA7BD35A244612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:27.104{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371B6069E4CF3678B956FAB8337B929E,SHA256=A68658E97D4E03E408A81938A3BF7F03CFC46769C79140B8AABEC55056B3C9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:28.797{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F605F017061BE2C82908B5FDDC33140,SHA256=233516C0406F2E3F48AFD2C631710D9B76C00F312DE401696C662D74728F1802,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:26.995{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59541-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:28.314{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E9A04BFF27FE9E057DC5A601775F5C,SHA256=E87F23E95CED3E779E58BC29E866CDECF50678D2C395068A10AB23B3EA012285,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:26.723{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49970-false10.0.1.12-8000- 23542300x800000000000000039416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:29.861{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402A83D0DA393CE7C3BA964DCEF3FF6C,SHA256=810D4B8BCCE532DB9D15360BCA9E912D6A5E8D06241F70A7D0DFB25A089EE009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.444{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C14283C25A5525FCF3EF340ACF3988D,SHA256=752D8EEE7B3570AF525449614AD0D09252308D45A35EDF080BF3FB6F55C0FF39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C409-63BE-9A01-00000000A702}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C409-63BE-9A01-00000000A702}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C409-63BE-9A01-00000000A702}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.147{7DAC9CB3-C409-63BE-9A01-00000000A702}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.943{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.944{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.536{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D6E7BFE31F62DC680B2C2D9D1907C7,SHA256=C5AEDB4F8CE82A9C9103F3CBBCB88D154F5A9C85AE5304BFFA75996BE32DB8E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000039417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:13:30.415{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c6-0xe1adc786) 23542300x8000000000000000102094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.302{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA4E688DDEC821F1CB2B8ADF6ECA6A36,SHA256=111EA6066C916A1ABE65D6438DDE04D6DF64DE22756794871573F6D03D87C14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:30.002{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D36B6A33346D3072AAE512FF71184E20,SHA256=59F0A2D069E62EF15AC0A9E696688750DA4FF5541C623232E6C91A34F20A45B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.728{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59542-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000102121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:29.728{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59542-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 10341000x8000000000000000102120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C40B-63BE-9C01-00000000A702}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C40B-63BE-9C01-00000000A702}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.760{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C40B-63BE-9C01-00000000A702}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.761{7DAC9CB3-C40B-63BE-9C01-00000000A702}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.620{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFCC24B4BC7D8A6594155399FCC764D,SHA256=7BFE2F0BC9FD7004C1A12A6E9CAE2353E4E58D4F89E5BB341A5F8DB28B04C51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:31.067{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849B08C2189CE99BA25F11F2CC08D7E8,SHA256=318BA5BBE9FEFF501508B9A4E359CE3A9954C769E598B0B99CEF405C9E60056C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.417{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AEC36E336C740F25574E3AA70E0863F3,SHA256=85ED95AF6127CC6C8B3103F04EE7FF25FC594795D14E937E2AD298AEA334D10A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.260{7DAC9CB3-C40A-63BE-9B01-00000000A702}24284212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.037{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.037{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.037{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.035{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.035{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:31.035{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40A-63BE-9B01-00000000A702}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000102123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:32.703{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C448F3EE25BA941F5CCDEBD01A95B7B,SHA256=AE5B70CB2631EA8E815CB3F494F33836CEFC282BF65AEA4C4DE51A64B45BE297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:32.275{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CD3E98339BA5BE33A13B4366BF603A,SHA256=58E89448399F6EFE66C1B5A418B6C21E446F50215474059C779B22318ECDB318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.822{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9013290B73883D9AE40FC2A2D85D63,SHA256=001909EA88C67A2F5766743A9CEF2D03299D9B39BBE411EAB910AA9A7F096025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:33.576{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7FEA0BEA080FB50493639C88B7FBD9,SHA256=B6240E11D70D364D071D0DD23CDA48B3BE595456064B32D35895FFD2A3495B6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.431{7DAC9CB3-C40D-63BE-9D01-00000000A702}604624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C40D-63BE-9D01-00000000A702}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C40D-63BE-9D01-00000000A702}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C40D-63BE-9D01-00000000A702}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:33.209{7DAC9CB3-C40D-63BE-9D01-00000000A702}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.905{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12495E9B69FA6911EA13C196C94A6838,SHA256=8F72F8DC9A0E71FA48FA225C5455E77255D76E74AC7970E63C23EF3A5F861D87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.859{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:32.988{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59543-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:32.705{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49971-false10.0.1.12-8000- 23542300x800000000000000039422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:34.679{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9991EEB13CF116A3744EAF29D41324A4,SHA256=71C49DC0D8CD65488843FA6EA120D55A2F4F1ADD1B99263790AAD6D408992154,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.452{7DAC9CB3-C40E-63BE-9E01-00000000A702}25201016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C40E-63BE-9E01-00000000A702}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C40E-63BE-9E01-00000000A702}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C40E-63BE-9E01-00000000A702}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:34.182{7DAC9CB3-C40E-63BE-9E01-00000000A702}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:34.056{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-022MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.960{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6214DE1262E103394A7216BF20F6E566,SHA256=9DA60A9C0F134980B4B0807D1F93080701F5EB3214AE7B0F5FE24DD312A7C9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.891{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF52F09AD58A9409C164E57070F42507,SHA256=7D509FD5296A8C8DD61BAFFCC4BC2302F6F0ED4A699627BA2AEBFC3FFBE3A12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:35.779{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D97967748946B41D902E9902A90FA25,SHA256=E8285398D963ABE34329A03591FB0FD965074A49980D9F8EDC858B088A26CC08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.085{7DAC9CB3-C40E-63BE-9F01-00000000A702}56685468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:35.023{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C40E-63BE-9F01-00000000A702}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x800000000000000039424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:35.066{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:36.875{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD1953F9859A307B8B0907D6FD10145,SHA256=6C2B86284DA70BB3A979E0A8532997C34FC7B0E97B57D92DB0CE4EF8AE5AC29F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C410-63BE-A001-00000000A702}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C410-63BE-A001-00000000A702}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C410-63BE-A001-00000000A702}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.654{7DAC9CB3-C410-63BE-A001-00000000A702}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:36.994{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC40AA93F3E4D600D8353C33F405667,SHA256=9D643E2688920922FF382EF331469D4F2720DA0AD95C0B4CB60931B1B1DD36F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:38.086{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7F28C31CABB680093989C945FB8CB9,SHA256=A256BE621B265A5AD7B9840E8D50F9AECB95142945E4A48995ECFE5BB0C2B465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:38.085{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91ABC7F5EE5F5660C1FF8CA0D063EA4,SHA256=91BEBA75D280FCC1AF7A35976B85C52E803C512E95D8EA4DB76E9DCE4DB2B733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:39.169{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90196F6D0EB8BDEE4FF5779EC68E1F2B,SHA256=9D072129BFFB38906EE5DE521DC672246AD530816978A07474AC1193BA99DFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:39.206{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586324233AC013297C2018EDEB981688,SHA256=906ED8AD5921B3C3270F1800ECA879EC5A0A4EAC424EBB53F976EFF24216D4E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:38.626{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49972-false10.0.1.12-8000- 23542300x800000000000000039429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:40.468{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435A803EB5B10466935F2765EEF38F14,SHA256=135389868DC3E02045BCD51108E7FF33C858E07DA98979E4282E9697E05EB8E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:38.937{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59544-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:40.329{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B415AAE147560146A6E7DA77B26786A2,SHA256=EEC203A688999B33D56681194B2A9F106C1FE4F91420046FECDEAE0C180D719B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:41.557{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EAD6C2A9AF8465079A52A0A34A3D9E,SHA256=DEE3C05281A966E552C1E150AA1E7FDA8EFA63E1489862AEA086CAB336E3094E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.949{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.948{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.943{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.940{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.934{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.932{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.928{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.417{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E20DC963443CDFBB7435CAC281906E9,SHA256=488A3420EF753C4AFFC8D46D0A1066259E75BFBE07378071F963FE6B9920E296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.395{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.379{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.367{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.359{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.356{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.348{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.293{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.278{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.266{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.243{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.221{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.209{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.197{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.183{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.161{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.139{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.124{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:41.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:40.997{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x800000000000000039433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:42.867{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08906BA0AA53B4201F402751FB6700F6,SHA256=38E8A40D4211BD2268876BE8DCF2608A8A1B18B708BA680C488DC87A3A77C29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:42.472{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C364FAC3364DFB8B6767C99667982CCF,SHA256=09B9BE8506E18BBCF151C270270169287FFFA62CDFFAFF4AE47B11FF196EBEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:42.364{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BBB1F5CFD52EED50D06E3F29912CDA6E,SHA256=779DC937899838349E4C61369CD9BDC880E0175585D4C3228695FECC1518C378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:43.958{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8393189FC4D00D17709D3B29BC9FF7,SHA256=985304793F349BD55E9B9FFAF186E63CA5C13B37777F6BED673BCD77C84D3B7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:43.996{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:43.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:43.993{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:43.571{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AB940B8B3C332196813AF2ABDAE11A,SHA256=9CBC4B932605E1925AE6B6D1BF2485BFADFA094B7C1561F0544B9A3DDB936CE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.992{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.654{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FCA90C0078DEC65EEE225D41A3F84E,SHA256=87FD77229C67ACA789643DC8130EDAEB014BA2D6D2CAAC3AD58408E5EE13765F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.597{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.595{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.579{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000039463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.705{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.701{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.698{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.695{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.693{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.689{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.688{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.686{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.684{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.678{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.666{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.661{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.658{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.649{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.639{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.636{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.607{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.589{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.541{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.526{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.517{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.503{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.491{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.484{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.470{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.452{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.436{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.421{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:44.417{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x8000000000000000102217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.568{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.536{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.529{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.520{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.515{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.510{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.507{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.504{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.502{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.500{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000039464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:45.435{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238D77E69878880AC120AF673C41395A,SHA256=65758EA89B52812FA7F13ED191A03CA7ABC775589105468D7CE2E2F083AEE204,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:44.034{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59545-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:45.736{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C30E4512098FB707A2E5D02F92F7080,SHA256=4344241DAE90FF4272E5B61BAF873E18D92AA331C30CB122F0AC90D50EE7B259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:45.378{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=7D694A7696897B959203E9E5857B916A,SHA256=8715A9A3AABA9A6D0969E8E05BB219F797982C20556601877FBD277328D80879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:45.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:45.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:45.004{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:46.845{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A005FAD9FE61DFB8233E06EA0D35D18,SHA256=AE8186D3BFB2F04D4FDEF9C4655E5A954A6CF1BF20DFB57A27A4B1CF242225B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:46.567{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AB3465BCE1BB45511F414EA24C4294,SHA256=D939919DFEE887E7D97818B6839D4487ACECE316AC110F34E047DDC5C4D09ABB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:43.780{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49973-false10.0.1.12-8000- 23542300x8000000000000000102230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:47.960{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0C3A4C861A75F43798BF0CD5F0D70E,SHA256=D3CE5E421DCBF705365F28CDCE625ECCBAC174107BE85B85E342505D314D0F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:47.665{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C62A993D3F6B21A1812AE9B8EE2B9AE,SHA256=52EF67A7857CB71150D43B5218C8573A6DBDA5BC5A81D29BDC90B7D05FCEEC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:48.770{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7EF8063483B30B20CE12D4FA88B6EE6,SHA256=4D086156B96C07FAEE2738EAE618F2BD1A006BE8382A3EBDCFBFC65C3BB0C7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:49.861{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514FB203F2D68967FBEEAF5F3124C282,SHA256=F1DF9327A40D8CE841B887E12CC010E7499A0C03CED6A90FDB36117B43288FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:49.066{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5387DB01E17AF4031B86B23A5E86C78,SHA256=E76A79985F748A90FF83A6242A772B15D2293B02985AE794E8F089F6BCB09934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:50.161{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6A43B1782FC64561ACD0E5BB713EAC,SHA256=695E69F0937FB572155CB83E80E0B577ABC3A56C57D4F5316A8542F310154B93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:49.667{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49974-false10.0.1.12-8000- 23542300x800000000000000039470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:51.174{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BAFA9216F4C066271CB031E6605566,SHA256=0E9C97C25156784C21516E46F7095BAD70A82217F4C378FEB8268820973E571A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:51.507{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-022MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:51.254{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78D4D517BAF0D09AEC9681328C66187,SHA256=53DDAB0B1AB95C93701BE36D84DAFD27AAF498E8DAC28A68944D7C3F38A8B1A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:52.263{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD7C77C317EAADD4768F2207E75F203,SHA256=1FCC1E51CB238EB0055D305C2CA7619D67F430B24168D62493B559F80D0A5E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:52.512{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:52.383{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2023-01-11_141345MD5=71F241199BA49F1DDBC08543F21EB65F,SHA256=57C573660E98B93E859497F7F296ED22832C08F1D5F174F6047ACF28398F98A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:52.352{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E3FA3F492D86BCC0E90C898E6DA398,SHA256=50C27095EB186601215C738A3B8A669FD85C78FA0ACE7D542D81685BCBA15D7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:49.956{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59546-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:53.367{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03C9810476DB7E9EB6871178AF1E0C9,SHA256=8FE1B2C943189CA9FD86F796EDE0508E395951C250B1B676BA41E3787874CF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:53.456{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A40D445F27FB37C34CBF92C95D4838,SHA256=C7E24E8AAB9E4804778326B73D1177DE22F475597A996BFB448B290AA0BD5BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:54.466{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB252F1E71B55B179D769CAD6A57BB4,SHA256=C3D962A6960E9367FEA069E4C34C7ED2455C35799AC7726FA96CF622511B41A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:54.544{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E5C228DD21C81D599D22FCF98F36CD,SHA256=AD9549976C0894483FFEC26F7AEE6D5A07ED05DFC8D215820C7675F5BF56A220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:55.567{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1204728B52DC87527D8C6868794B9C3,SHA256=B113BD972430729EAEE5A1A3444391FD0987ED69D9C551D10A6F4A201F8EF9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:55.649{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC20AEDF4CB1E1896BA37860685BE67,SHA256=1F8756279C0FD12B594C65092E9EB47514C16FCDD61131B0670CFBBFD9D6978D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:56.950{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2023-01-11_141345MD5=4EBD3DC66CBC7FA14171CD13DD4ADD2D,SHA256=D4DEF05F896BADA80B1E9D6DED7A44C7CD46242223146B131AA73D3BB94F805D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:56.950{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=42DCCA41001E3FC5CA7AA2EE97204F72,SHA256=8AC1449776815B6EB07805E3088B63CE1F8E038B0507FB5BD3B7F0A880FBA462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:56.744{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA06325E600E8AE0379D9ECD1B257B2F,SHA256=9E198D17AABDE73BFEBD6CFCC4E9B9B64F9A7B17088262079DA12548FC87C061,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:54.768{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49975-false10.0.1.12-8000- 23542300x800000000000000039476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:56.648{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB97354B6E490A80D9163F3810428622,SHA256=520BADF6F4DA27A55A64991824323E3BC3E523CD6BCCFB9E1872F7A7543EF334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:57.839{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1153A994F9931D6C8A2D11890ECBCD0D,SHA256=9B5464CAD7A98085E60586786E93954F7AF3880C517D6848E9748894C3D2E7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:57.950{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5D0B8901CCB81754DBB4C8C6F2F7BBC9,SHA256=DFB785F98F3C32654A7630DE8FC2BB7CC239FC389B954632B6B7F849113E1838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:57.745{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD4C4F588698A303FF60A3857B09781,SHA256=5B92C8669DD20050E939C10B7B2C5336087F7C147FD9E8F85CD393A1DE5EB33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:58.841{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8234A3E2001887D364854A5D66AF75,SHA256=DA500439A576E90151F3DBC571D321E7DAF57B786CD83148A486BD97D3D4723D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:55.840{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59547-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:13:59.934{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BAB080C1DA895BFC6BE924C8FBC3B2,SHA256=071B18223D8D84EC37B78CFD188EFFE057728BD84D00B0DEDEB371BC60A2DE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:13:59.046{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF929B256D86DC62D9C1816DA79D4885,SHA256=9B19E19E71BEA3E6F69BA7234125574D3F9F0AFEEA4E7E4E254D54001D02576E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:00.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:00.992{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:00.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A56DCBBD1976CA8AA60F03766A76C2E,SHA256=434327BAA49B6E16F1C424B0248FF3FB4ED43CB9BA0D5F0455612D6712AE1006,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.783{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.781{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.772{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.768{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.756{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.753{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.749{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.544{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F63C9F1218939AE93F87824F7DE55EC9,SHA256=4E87DA455E8A980081D8A89619E9C41B0CA630E51DF451C3914F000B4B90CC2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.236{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.231{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A5444794F2AF335F5269A41AAA7E8C,SHA256=562D6C4FAF78EC96680D8626A01A691B92FF42A642411FF732C792EB90AA96B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.211{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.207{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.203{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.201{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.164{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.156{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000039482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:01.040{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42089D05A41E5EAB87CEE7107CA6D057,SHA256=C1133BC6AD23FE45CC74F9428717819AAEAB75351DDFC299CECE5C9112830EF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.148{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.129{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.116{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.104{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.095{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.065{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.051{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:01.042{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:02.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5F9E1CEC75E0F883B2D9BD20749B58,SHA256=1687CC6432AF33BB8EA2AB6ACD4861B5C179225F7622FE4975F24026075EB9C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:00.624{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49976-false10.0.1.12-8000- 23542300x800000000000000039483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:02.145{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F50CD05FC7BF3A5C2CD7F14AD8DDE3,SHA256=3ACE651040B8BAF8FACD34B6C175EBD514D65FD38FBCC221F52BC2D634B508CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:02.096{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1183FA93B325FA8883FFDB1C522E44AC,SHA256=3E53411F2606F6F6B3D80DC3BFA2DCEFD349B103D905E8F7138D58F4357F97A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:03.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96CAB795E14A5A4BB482CB957FB4238,SHA256=931FF4565D57B5599C5D5C5B43C1623874288F33A0766ED2E7111B401062A96D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:03.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:03.802{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:03.801{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:03.379{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5614159DCEF03AEE9CAAC15692D9E776,SHA256=B87FC28EA97E8E0FBF4E141A4D8984ABF1A181A35E1CCEE8A48574C6716BB095,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:00.977{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59548-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.539{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.534{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.506{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.483{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.415{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.391{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.370{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000102291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.354{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D7C6D62A1E6CA46A820EC0D7627A2E,SHA256=5621EA99CBAC2B030838AA8D3EA6E4FB39D48FA2EA1EAC3E8EC43137CA4CE5CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.351{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.347{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.340{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.331{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.326{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.325{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000102284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:04.319{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000039515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.855{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.852{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.850{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.848{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.847{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.844{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.844{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.842{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.838{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.830{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.821{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.814{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.812{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.803{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.787{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.782{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.753{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.742{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.660{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.635{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.598{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.564{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 23542300x800000000000000039493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.540{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8408B59469112403949CBD310160663E,SHA256=3CFFCEA0B0A04E630A9F202E6CFCBFB4CA64536674F478CE040F9647F276D76D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.528{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.496{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.470{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.446{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.426{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.422{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:04.419{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 23542300x8000000000000000102299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:05.442{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78544298C8EA1029A0C1531DA9D2D321,SHA256=E7474CEA4707D51EDAB5A5DEA7F33BCED06E60E50828DD1D8CC7F490E9A3BB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:05.505{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8BC1558874549EBC0C813E6560DFB5,SHA256=8847AE96D0E111949502A895BA525257E61E68B3FCCF72C364137193C6454CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:06.563{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B74223D8AE5A3328C912AE1A01AEB5,SHA256=3A098B8C9C16322F985E419BC42EE6DC647935088640E9DDBED8E05E1A43810D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:06.731{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6205D1CFDA67A66D3E966D2728A68429,SHA256=DC8B50CB9819F355D4BF37244065347202394E5859EF0B57801D0C2FC54027BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:07.666{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DD54C660C51EBE675867E24CAB6A78,SHA256=3B3889B47D6C83BC28BB723E469C3E4A9566AF5B3A0334970EC8A0B104755296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:07.826{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:07.826{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:07.826{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:07.818{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7898DC21CBA04878AF8EC557191D4BE7,SHA256=501A8625CC9AAEAC6158DFA77CF6683EC2EEDC03F1CADD5896746037E8A4D7C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:07.811{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:06.009{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59549-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:05.851{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49977-false10.0.1.12-8000- 23542300x800000000000000039524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:08.894{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47B8981EC7C6587F213163E7B1BD162,SHA256=B4BDAFA3281CD3C1F8304B91DBDF2191E21BDB156DE7F62D300B6B23532F6219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:08.767{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24385DDDFC4634454F0AC2C500364B52,SHA256=66F45040053D2941C4918FF12F6EEBAF362A5E40D2FD4FF29D65829F0EAA7E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:09.856{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008861B32F647E37006BBAD8FC9F4323,SHA256=43FBF96541F80C0CDBFB42D117416829255870CD60C59FE8049A8D055414E3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:09.305{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:10.961{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034FED3B20B1F7874FCABCB8031D5983,SHA256=556E8A37E45DBE3B2F84EE41166C546D6EA0A85474E9096CA96E70DFE2AB7F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:08.889{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49978-false10.0.1.12-8089- 23542300x800000000000000039526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:10.110{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C041A8AFF8946A4C6213E318756FD6B0,SHA256=F4BFA8AEC6B87547C199EDE0F0BD6979E6D6DA0FBB8710DA2427E7109276E595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.944{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=04A5FF9403E1AF59A9E556ED47A991A6,SHA256=30A619B20F61E1AB2F0E6585D973F527C87805291B4D639575C38FF2BE2FBE26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C433-63BE-4401-00000000A802}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C433-63BE-4401-00000000A802}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.542{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C433-63BE-4401-00000000A802}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.543{3EE3745C-C433-63BE-4401-00000000A802}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.323{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFA558FA461ABDABD2C325C50244950,SHA256=F24BF22EA3D23C29966D405E04A673B46AB9CC871318EE7C9A70060F1FA52C6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.276{3EE3745C-C433-63BE-4301-00000000A802}35323816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C433-63BE-4301-00000000A802}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C433-63BE-4301-00000000A802}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C433-63BE-4301-00000000A802}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.042{3EE3745C-C433-63BE-4301-00000000A802}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:12.147{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219FBAFCDAAD09BACC344EFF1EE813E1,SHA256=17ABB4B803FAC77361266EC371FD7655321DEDF1A44F2DA54FFCB86649F15915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.515{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4EAA4706B8A7D80F4B66B960F43984B8,SHA256=943049239484EB9FCBAB48F6C58C60AC194AB3CD6EF943C2168F5AF71BDE35AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.327{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B74BE6417F67BFADF4DAE59063C19F,SHA256=7924F4054176C3D1BDDF8E6AD3183953A9B4B2A6163D4D6AE9F7DC129F158D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.093{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=905FC363F9032BB13F40AEC057424B64,SHA256=310CF02A5196E3BAE6CE1D7735E126C7F7C7A0CD90B9CED00B3836ED20E34A20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C434-63BE-4501-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C434-63BE-4501-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.046{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C434-63BE-4501-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:12.047{3EE3745C-C434-63BE-4501-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:11.940{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59550-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:13.246{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825202F7730F67D3BA306E5EF95F786C,SHA256=5A82192FBABEA89751BD58BC92A96BC53D46D3AE8DA36D7A89406EF915AC56B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:11.661{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49979-false10.0.1.12-8000- 23542300x800000000000000039573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:13.403{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474FFD697B19ECFE9C8753D5E8948755,SHA256=C0D22E11612E4909D20C6A0E6BCC2BB3E1DDCE54A2B2BE6EC034FFCAA317D741,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:14.584{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:14.349{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86477C39E75EF71202F327CECAD3368F,SHA256=90E247122134CC330501A0A3C32D2782B98DF91A68607AD39DE3723721B39AC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.836{3EE3745C-C436-63BE-4701-00000000A802}3868356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C436-63BE-4701-00000000A802}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C436-63BE-4701-00000000A802}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.570{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C436-63BE-4701-00000000A802}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.572{3EE3745C-C436-63BE-4701-00000000A802}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.507{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861B82FB615E19E43D06C50C94BC8A49,SHA256=443A0AFC00EE5C749EFD470B9065304C04C087461B3E83F94C1AC280B333B98F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.195{3EE3745C-C436-63BE-4601-00000000A802}37603840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C436-63BE-4601-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C436-63BE-4601-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.004{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C436-63BE-4601-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:14.005{3EE3745C-C436-63BE-4601-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.789{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DD5F619AAD1E768680EADD7C67559A,SHA256=5C36C9358C88EE9D4E355AF840D151D82A17E87CE498BCB6431E576B8D18FC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:15.963{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:15.439{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA950C838F7CB287210A1998979E19DC,SHA256=1C428E4E5DA9F08F4685A03F954D2C16A3830E047CEF4BF89C0CBC3A9EDA0D34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.380{3EE3745C-C437-63BE-4801-00000000A802}8363944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C437-63BE-4801-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C437-63BE-4801-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.177{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C437-63BE-4801-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:15.178{3EE3745C-C437-63BE-4801-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.920{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170396E0D442E42DC16A4180C75861CB,SHA256=C7567F1DCDE7503354DB2422BEB27B1D4169ED815599D5F1AFD9CFB5B2BD1376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:16.528{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B990C85A3C842CFEB26160BFBEA37A6E,SHA256=672594DB2F7D5A9A6E9994CDF87100D80D6B85DD8E0051DAF74768E119924609,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C438-63BE-4901-00000000A802}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C438-63BE-4901-00000000A802}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C438-63BE-4901-00000000A802}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.593{3EE3745C-C438-63BE-4901-00000000A802}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:17.619{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC44571EC2D0C9646A056600E2A867C,SHA256=B84153B1CA351271183F56000DF43E20EFCF4DE75A93B387AF34D3476E9D7885,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:15.756{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59551-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000039633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:17.746{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=440EDFE29E0D698CD2EA06573144A750,SHA256=73EE1AB2EAE87D57EF554796E979E01309B0802D3A8CC94E5FA114FC47F0C30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:18.605{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B822987ED38C3D3D4F8EAB88AABC5D1,SHA256=AA105A47B6341B4C8E8F53DE6EBD19287B08455EE22D14125E95C928305AE1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:16.720{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49980-false10.0.1.12-8000- 23542300x800000000000000039634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:18.034{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25605C387A5679E91A72D67A8C378AB,SHA256=943F69EF01FEA1811327E73F7237CD5206F854F44B47B40A61F4BC0D18CB6224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:19.693{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D802BFA2AB9A3D397DE25B54913FD028,SHA256=10393282964BB5320484D599D7FDF473AC9128C259626205AEAE8B55471534EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:19.232{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771AE4B29AC0AC40AEE4DB8670AE6EDE,SHA256=294631465CB8037EB5D95F9FF21E494B509ACCA181A9F148CC0587F66F5A56EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:17.819{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59552-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:20.997{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:20.885{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B28CA3AF001B6317794EA09E8316AE1,SHA256=073BB3011212E4AE8679BECCE9EB9EBE1C21BD3D8B4A9DAF2468CAE97CCBCF49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:20.319{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8406AB9CC9079AF1A0ED8E73DB74482,SHA256=4B5B4CBAE04BE3B5BEBCE60EF56846A83AC8D3585EFC063410EAA29FAC4E3BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:20.407{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=FC8E57C63BE7CA1ABB5D69CA0FDDCFE0,SHA256=ED2943E51A6707A3408E4F170929395D5A66C0DD2A617CEB1191D186F3D33166,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:20.298{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:21.517{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE66D76EF7A91D7525F87EBD735AB210,SHA256=A17F6DC9BC4F32187B5509FD11CBD4BCCDFFF6DCCB24410A7B375F781A21B2A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.365{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.345{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.333{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.327{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.324{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.320{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.277{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.260{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.245{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.196{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.183{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.174{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.166{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.147{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.130{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.123{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:21.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000039639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:22.713{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3BE02123A611873B37596E2CB7DEC13,SHA256=7E23F9BCA68DCBB9D9E4B18E8FD6AF451CA49DAB96362743AD3ACFA9DCDC5904,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.103{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.103{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.097{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.094{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.086{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.077{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.007{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D36ADA3931E5E9B6141609E42173779,SHA256=EA2FF400CDD1648BAF2C26B6E26CFC907127F3C05EFB48CD8AB019ECC77550C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:23.816{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4399E223CCA8E22E185E02AF6F87CF0B,SHA256=9F184C9CEECF748DBEAA7B4FD6E5C82ED59444D887CCDE81678A6A821A3194BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:23.965{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=334F7890BDD51FCA46ECBADE0F9E7CC0,SHA256=32E83DF532BC0FAE8503B7E7C90265AC83096AC38F6DE17988A267BFA97F47F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:23.104{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CF1DA00AFBC8EBDEC333A917CABE2E,SHA256=D7F3CD005FC2BF8A694B6954495F86E3BDCB4AA6A3B4E996C72CBED8959DE008,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:22.929{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59553-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.791{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.788{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.761{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.745{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.715{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.698{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.679{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.661{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.661{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.657{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.653{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.649{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.648{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.645{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000102354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.191{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0330AF6C0BCC6DF9F6C641B09A6C4580,SHA256=CD839143396FE0F7DB03DF3EF6EDCD1CFC20C2CDB116756662FA9B4711968B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.129{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.128{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000102351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:24.127{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000039669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.606{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.601{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.599{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.595{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.593{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.590{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.589{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.587{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.582{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.575{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.557{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.553{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.551{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.542{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.534{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.532{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.515{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.503{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.476{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.468{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.459{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.450{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.441{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.433{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.424{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.417{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.408{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.401{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000039641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:24.395{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 23542300x8000000000000000102370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:25.177{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6F72F5B573FEDB1F8D2E8E07517F7B,SHA256=96A12DE115AA294E798F6D4359B954CE8DE8C80B9DEBB18D1DB20A971EF4C4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:25.317{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD5F9AAE3D2132666B32EF4A6D1B0CD,SHA256=FF68F73E404A797066C0752DC7B506B39DD0E20DDC48D2F23FDD2970E0B69105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:26.269{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08315691B3ABD2F2C0C7B81B0A6D12C4,SHA256=C2E9C02093118C893CA9E2747C9B91B85CEFECD2B583CFC2950A825DFC43C318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:26.421{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4067D231DA5B95AFE383C7FCF2857051,SHA256=AE2458441633963148C4584F37D0CCC55DC8D9445B608F6F0919739BD4EE8DCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:22.712{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49981-false10.0.1.12-8000- 23542300x8000000000000000102372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:27.370{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952DDE114C00FD476A2B2A94201375B7,SHA256=FFE172252E8994F31164E649FE40D103D0702CD797DC2AF7EDDD6D7B64BDCB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:27.510{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C368785A55E388647EA1030AD74215C,SHA256=78BB1DC29B5FBC3F8F9343C4234F81844CFA995E1DB63194D72CFC5F9294D059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:28.602{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838F842FE22C70E785CC4EAE4296E100,SHA256=14F1389554858F959BA28FC85282203916C17191DF003D3C50A935DD5DA43A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:28.480{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A501FB3DDE96A3EB020D4DEABB02C39,SHA256=F83F57FC758F60D08CB18434082EFE879F4705201A5853E759154F76FCA58BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:29.801{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC848B2D85925D1418172CF133E36587,SHA256=F0505F1BD7C81B3F7CDBF668E2298CE23E2BBA92FF40336CFADE1CA4480B321B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:28.041{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59554-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.572{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87E2C90347E0273F0EAC94487936933,SHA256=F8939018E542141940E9B33E52E45901B9B3D8F2928427A259D5D9EFFDAC7C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.322{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=92601087B2DD40D67C5F382EC54B192D,SHA256=321CDF51A8E27A4FD42E8B700644E8D94224A5DD7F1B9D04B458896BD440A7D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.271{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.271{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.271{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.271{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.264{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.264{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.154{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.155{7DAC9CB3-C445-63BE-A101-00000000A702}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.967{7DAC9CB3-C446-63BE-A201-00000000A702}28844308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C446-63BE-A201-00000000A702}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C446-63BE-A201-00000000A702}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.795{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C446-63BE-A201-00000000A702}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.796{7DAC9CB3-C446-63BE-A201-00000000A702}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.670{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF2D935F5FD068F79ADFBB6C876A546F,SHA256=52C26A10AB30B8EBCBFBAEB2E22FB1B2698956547EBA3E31FA90BCB4B73934DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.670{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18E3C7228B0E23F029D0459A4AC489C,SHA256=62F36E9E1C210B3436F9CA00742A2F6622349F657C7BA2507937EFBE4A322482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:30.201{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0204B72E0EC5734652AFCA94F9D94C9,SHA256=E786F5A88E8E3D7A95D79DD59D87F8B4B369536F34C3F91BD9710E065792C7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.772{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEE55E065DA087FEB3F32CA236986DE,SHA256=DE1F8A9D2FE256382F47BF10647634ED9933CDF866A37E1F9998D3036AB58522,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:28.657{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49982-false10.0.1.12-8000- 23542300x800000000000000039676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:31.005{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29AD2CAD33C9076C4C0A2BF69A93050,SHA256=082B8FFA1CFD48D57CDE8D1B4523B581F16468863E4D77C508451A6D4C02F31C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C447-63BE-A301-00000000A702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C447-63BE-A301-00000000A702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.475{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C447-63BE-A301-00000000A702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:31.476{7DAC9CB3-C447-63BE-A301-00000000A702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:32.975{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADC46341D3CD599AEE687B168626232,SHA256=4E1D5E3121DBCD190632824EFCAF55EAB427377488D93CB04FF1DBEEB8715FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:32.093{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454408994CE70CE4776A8BA45EA7D55E,SHA256=FBE74CA50ED1343564FF10021F67ED813D9F43045E42647831A63F249E2A6E84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.741{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59555-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000102412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:29.741{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59555-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 23542300x800000000000000039679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:33.196{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4DC316BB74765F1D334A9CCBDB1583,SHA256=C6101328F7D54ABBA1C4CCBE990C0BC1363E73BC91EFC6AE2963BFBA939F9E56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.481{7DAC9CB3-C449-63BE-A401-00000000A702}69806572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.340{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.339{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.339{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.338{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.338{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.338{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.216{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.213{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:33.212{7DAC9CB3-C449-63BE-A401-00000000A702}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:34.296{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC960B8EEEBB441F29A81F5EA666E0B5,SHA256=537B389C10C648FA5BCE7400312E07ECFAF041CB0A91C95A4F238644592F29C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C44A-63BE-A601-00000000A702}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C44A-63BE-A601-00000000A702}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.858{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C44A-63BE-A601-00000000A702}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.859{7DAC9CB3-C44A-63BE-A601-00000000A702}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.418{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2023-01-11_141420MD5=A7A8591770D1E7947AFD20661385A67A,SHA256=C6AE17AEA8C7CE3A07315BB9D82036EEE1FB4E1DEFB02E1D15CC325C92B45E77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.390{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.389{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.389{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.389{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.388{7DAC9CB3-C44A-63BE-A501-00000000A702}66646668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.186{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.187{7DAC9CB3-C44A-63BE-A501-00000000A702}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.090{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6588665C351844A2701F322ECDD91BE,SHA256=7309B7BA88290E24F6595589D10A11108581FB2CD01EB1C75547C3A6AA33402A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:33.863{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49983-false10.0.1.12-8000- 23542300x800000000000000039682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:35.586{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-023MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:35.393{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E651749FC83737C48BB636157DEE8387,SHA256=89E8DB4C6FC79BB78912C709962FBC7F593E96289B3CAB1562AFE769280A317C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:35.904{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96D1B1FCE905B9CFFCE4D3699F26BC91,SHA256=606DA36E77CE4D4895E5546BF9C2C75F20FF874FB0866EF04B9FB709E08FE7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:34.012{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59556-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:35.176{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB34B8F6491CCD422491724D309904ED,SHA256=1EBE28286F9D09FB8964C6B1F3B6E2633FE01D1E014AFA34E8EF955099BA254B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:35.096{7DAC9CB3-C44A-63BE-A601-00000000A702}34083792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:36.593{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE73E9D7A03695501A7C2F868247EBAF,SHA256=AF8B4CF807C663353185383D1A495DF0BE4AF5FBA1AC8E45C535B122DC14185B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:36.584{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C44C-63BE-A701-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C44C-63BE-A701-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C44C-63BE-A701-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.535{7DAC9CB3-C44C-63BE-A701-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:36.366{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98ED30D7F12E3AE604D6082443EA015A,SHA256=AB373B8AFA805D9847887F41DC280F2BDC98F6171C0622F41DE87C562C25A877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:37.688{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C57B02D970E690BD6DC8F18EDD57E9,SHA256=D2E5A8AD019A1EE20EADF898341F14CA08D02A16932BBCE50D6F0803A85E7565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:37.459{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB88DF97C903DBC55E560CB49E6D8F24,SHA256=9807A882061812004059351EFFA85EF154A5D40BBD8F258AF4B807D58EE00E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:38.786{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B3F853EB908C3187DAC594B70A5453,SHA256=76CE746E5F37D2C6649AA5F354C3F441DC896D3C51376E8A852C342C5E5E4A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:38.551{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3931132C51BE421517D42699E87AE096,SHA256=71376A36C6B141FF7A762F981A1F65241FF98449DBC3072EBE613D0701407F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:39.886{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE97A95AE1AF8F3C8576D55871B697F,SHA256=938ABCF28FBDC8418BE0AC87E6D0395AF3DA48C2BAF1937B37978B264DA1727F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:39.644{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1A74EDE1C1BE2F9DE88EB6D0B63749,SHA256=F69508BCD633FC8C716E2C4FFE3F9DBC8AFEEF7F748AEF5471EEF35FEF430AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:39.238{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2023-01-11_141420MD5=F70250679FF7648CFE8FB2B4B1EF0C77,SHA256=32017BF17DE9F582E72AB851F09A4777154E7796689844EB17D08B41A076CCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:39.238{7DAC9CB3-C226-63BE-5B01-00000000A702}4528ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=4EBD3DC66CBC7FA14171CD13DD4ADD2D,SHA256=D4DEF05F896BADA80B1E9D6DED7A44C7CD46242223146B131AA73D3BB94F805D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:40.985{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136A576DE6737DE4FD7DBFC0AAD72AC3,SHA256=8247D1FCEA5131156225E44F6E228BB037A058DBBC994B9FB27AF348C0636D43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:40.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:40.993{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 13241300x8000000000000000102481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0016aa3f) 13241300x8000000000000000102479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925be-0xa9a23902) 13241300x8000000000000000102478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c7-0x0b66a102) 13241300x8000000000000000102477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0x6d2b0902) 13241300x8000000000000000102476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0016aa3f) 13241300x8000000000000000102474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925be-0xa9a23902) 13241300x8000000000000000102473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c7-0x0b66a102) 13241300x8000000000000000102472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:14:40.857{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0x6d2b0902) 23542300x8000000000000000102471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:40.748{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C491C7FA7A82FCB0F231065A43D6D650,SHA256=84AAD6CB937B026FABA9C702556156B8C51D2ED42A2EF6E4E87F0F6DFA507A44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.777{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.775{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.765{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.762{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.753{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.751{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.745{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.226{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.213{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.206{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.202{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.200{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.197{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.168{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.162{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.157{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.142{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.126{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.111{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.101{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.080{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.064{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:41.053{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x8000000000000000102510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:42.859{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398883BC40E1057CBED7CCF38361D669,SHA256=64BA50BEE88A5F05D63C1E8098E35EAF79146667EA0C8C219B293D143D412976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:42.660{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0FDB7BB742DC5BEF83E580D140AB5089,SHA256=EFF576552D65DBA6C8331885BAD8DFE53B34AD02936E0337969B883D9A83B2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:42.174{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5518A979B740F91A4955350FFA89E5,SHA256=5536962A5D7131435F2836791E4BC5EBA2D8D2ED913FB99F65F621590C022EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:42.089{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D9EF22D79A3AE6138D143835864965,SHA256=C853D58C11EE29E804597DD6545B67C51701A66B74990BEE484A754DB9D0A809,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:39.899{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59557-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000039690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:39.799{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49984-false10.0.1.12-8000- 23542300x8000000000000000102514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:43.962{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A3BACDDB402644752F8C04E58E1D19,SHA256=8D90BB9029549EC46298B4F26EF01451975162503DF41A2F687D7D34AFE7BAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:43.276{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067FCC6807D3F69FF8428EBC8C20D361,SHA256=6E3F301C1A19B0737B95DB0B783A13ABAFE69C8B8F9F4955BB2C71871C412A70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:43.800{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:43.799{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:43.798{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x800000000000000039723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.675{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.671{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.669{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.666{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.665{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.662{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.661{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.658{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.656{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.652{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.645{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.641{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.637{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.629{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.618{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.615{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.594{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.580{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 23542300x800000000000000039705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.572{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C524984214A60A9C553730786401A5EA,SHA256=FE3442055E9E7181B96CFAD1B1AC25BB8C1CB3887FE12ACF2CF1A7E0BEF3B5E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.519{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.506{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.494{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.483{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.473{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.465{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x8000000000000000102528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.415{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.413{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.400{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.390{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.361{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.352{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.336{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.330{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.328{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.325{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.321{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.318{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.317{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:44.314{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x800000000000000039698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.453{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.440{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.426{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.416{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000039694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:44.414{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 23542300x800000000000000039724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:45.545{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA25B8DFD1B432921F37EB7D6F40C28,SHA256=2562B3C0E04FA97D0B22757DC5368E68F213F73F08B97BA5C367BF857DD110BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.051{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7746F71588CB4EED9085CC95F01246C9,SHA256=8CAB8BA16FDDB81FF1EA29848DEA56628420A029A2C681C57DE78D65638BF32F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.024{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.024{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.024{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.008{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:46.654{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B593B3EFC4C2B49AB273C8022D2E71,SHA256=22A11D19216F335E08713718BEF14A03D66843BD48F4A4DB8586064716D082EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:46.025{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAE1CE7D2C6C76DFE43F8A9E60050AF,SHA256=B35B30F5173EFADC18D435C596B068CE3333621742943B5966CBAA959EB03F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:47.755{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6316A2315A567D251F09D17B7D055A,SHA256=96C7685DB30E574830BF13B7DACADB10E497D5C87C758F8ED2674FB9C06A36C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:45.007{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59558-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:47.119{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D78EAD444F10EC75076EF92735C125,SHA256=B5A287E1CBE5FFC345AD07AEFC848DE737BDD44DB9BD3249FAE477201DBF704B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:48.849{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE49C98C1A58F6995E9D1A08B3B5586,SHA256=3215C4A06E79AE2C277EDBDB383700196479346FFAA079112D28B00060396BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:48.309{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBFF08631C67ADD53B58B5BAAB534A0,SHA256=C02529847BD4A0038DCBC3CD764D16689826D97F938CD755873700229583D097,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:45.673{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49985-false10.0.1.12-8000- 23542300x8000000000000000102538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:49.400{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75B9F280084CCC01CFBB83762D26A1D,SHA256=75ECCC6D78707365F671CCB009CB8D3C7DB4FE731251AD190B4E1BE4C30A04E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:50.599{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188B4DBE88882A5CB3DB9805008D278A,SHA256=FD30FCAC6969576E16E48C594FE7CE04E92F0D6D38C87371F919D0D96A27975A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:50.066{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66557438EDF94C21F8E5BA51CC5EC568,SHA256=8E8B6D3C13FE87618F0F9632D9ED00280D638F0BE9F4375AF54916B4115482FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:51.702{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A842D38670E3CA5718B6A20D485148A,SHA256=4EC1B452F4DFAEF9A6AAEBC44EAD8B0362BCCE99F98AD0C609EE4C2322D33E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:51.156{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE376DD6DCF75686511E74A2A3F55540,SHA256=7CACB1BB1F12606CA35459FC6FEFEBFB72856DC49498825F39F391E8E6E44FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:52.917{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F6E2C7078849603CCEBDEA5EBF6ADE,SHA256=DCE315225BF5859635B8C12BE7217901DE384AC813EF13DA16AF85384D8EB83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:52.232{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2369941E13F3D10E3EC7AF2BBEE6926,SHA256=E53EC03997868A95C53C3F9BEAB4F60E0BE6F4966DA806FA479B353E6CF91287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:53.325{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8206B78E2B5E3B1AEFF260DB210EFF2E,SHA256=C6227A6F8D4ED70432C562D52B000FF720CDA21A9E613CC1E2182C46C470491F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:51.642{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49986-false10.0.1.12-8000- 354300x8000000000000000102543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:51.020{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59559-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:53.046{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-023MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:54.409{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732370B0AD9B721449C705FCC7A851E4,SHA256=2576DD70958C75F555B835B9853221EC518D083D5BBFC0E0BA1304D4FCC78D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:54.044{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:54.011{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3B3C20BAADBEB7484EAAE0C8A01E14,SHA256=0D18E09BF6EF3F4F66D579FAEC3C1B166102B04FA6809DC2B4C3EE1B819A0FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:55.503{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1F19AEDF189242C38AC793AA1644F1,SHA256=E43E7585E0EAB2D5318C24E4A316D00DCAC68E5DC706A25A14F946B823FD25E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:55.116{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE20C6534E4482BC80FE0F6C76C87DE8,SHA256=1C2987F2A1AB3ECBB47C56A952AF0D1E895C08B6E15C003061EDE2C3BF9D1274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:56.716{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2823E836C1003DE4DEC16B52106E4453,SHA256=83A897D749983F99A5F32BF37D32E0F4B550B613AAC5C3EF74D24FA4D661130D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:56.218{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2428A41B65045B8A30EEC85C7E5299,SHA256=6449A95A849F86A5D3DCCEE82C1947127B8283553B7D4D11B9537AD58F1EE89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:57.966{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D04BE00182DB951F4EB9C959969A9684,SHA256=E34BEE65FBCB40C545DBFB77C277014B7615593B82A3348148A828DC5FA97DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:57.808{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A857524A7851A156F80C23C7B6DED509,SHA256=C3FB3A4A8DFDBA59F822B1E717FE917A9EC0000C7AD9B7F39DC1633667B606A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:57.320{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E7BF55D48A61C467A25E054392022C,SHA256=E6FE5B5A4E92FE8216B9E4CBC654A3C16104E1018A5D2341D4612B87DB821191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:58.904{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6C695ACDCD6CB2C75BBD8C92B7E43A,SHA256=9809AD36BFE49879AF813DBEB08FC6EBA4B26E1F1315A0DD4F41DA6E9504664E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:56.974{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59560-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:58.420{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF9B9588C5823D94313676C6B68884B,SHA256=178DC75B89FDF3496B8F8039D127B83C3C121E25639849AA437AA96040EF202D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:14:56.768{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49987-false10.0.1.12-8000- 23542300x8000000000000000102551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:14:59.523{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8BD90BD8615AA63E45552DA4D19016,SHA256=B6AD6D69A040444B583DD94892376D72EEBCBF6956F23E2E491A88B8CFE3C0A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:00.989{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:00.987{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000102553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:00.882{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DB6C45BA1DD794E42878C279F034B081,SHA256=400FFDA5DDF664D6DF31A97B24C51A46C37B3C758ABF17DDF416CCE11F21FF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:00.616{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B11677F6811F8BCB1925EF2FE7ACC6,SHA256=EB9790EFAA06F43A81FDCE219E8E5A36E75CA3C875E44EBB3C1D3C029487D776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:00.112{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E3D12F2E1EA2FD01CAB371700E5F92,SHA256=1A6504F798B732A5394C9709A803816E39E6FBBAEB43546E2A85C3EB82602EAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.836{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.834{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.829{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.826{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.819{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.816{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.811{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000102573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.761{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6FB10C8BFC0F17EA2A5E432D77713B5,SHA256=EB2AEFB187FA98F850B7E0D08A8DEB34775E7C198A523B4CD3BF5E63158FFF87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:01.318{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48486BD9B84F0E0CD29C8A6824FA053,SHA256=E229BF238E7046305E8ED1C7D35B67F2A7B85885ADD7EEFBD62B91E4EDC757DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.237{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.210{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.207{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.205{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.203{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.169{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.159{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.137{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.122{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.108{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.097{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.068{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.054{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:01.046{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000102582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:02.858{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57D3EFE2A3F372DDCFCDFCADF29AB08,SHA256=EF6B64C041B4E868DCE3DC7D8EFAD0843C964FEC516F9BE0AEA03D857940AFF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:00.218{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49988-false169.254.169.254-80http 23542300x800000000000000039743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:02.410{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2A8781F778B98776914BB8CE14AD23,SHA256=2498B2DCC6F77FE5FA3F7494E4DE8C18F1094FD6C023C9C3EE2B1A5E575B8A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:02.112{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2D7818BB8725E8573939117B5D213B23,SHA256=1F0A74D9FBCE1D4FDE8D6AE8A68FF48CE6153D1FA93EC0EF4397AC8B7697D07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:03.942{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FEE24C4736BC963205E7501E2EE3B9,SHA256=0054DD54887447886B5C6EF708A54AF453AA2CFFE3D0115F044397664CEF130F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:03.876{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:03.875{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:03.874{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000039746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:01.840{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49989-false10.0.1.12-8000- 23542300x800000000000000039745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:03.502{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3517B8AE44B4039A6DCCBEE41703A9,SHA256=F02C604B861AFD7C9C2613E131EB69260907D23D2473B2CA530B14B53CFDA016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.698{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.693{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.687{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.683{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.681{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.677{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.674{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.673{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.669{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.659{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.648{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.639{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.634{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.617{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.600{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.595{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 23542300x800000000000000039760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.581{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0A1841E2860FE1F409E4403B5A4B3D,SHA256=B1413ED43D8D9E7508DE22405A782E74B9795ED3CF0FE75EFBDE91BFB063D008,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.574{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.560{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 354300x8000000000000000102601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:02.983{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59561-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.510{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.508{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.492{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.472{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.424{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.416{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.404{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.399{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.397{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.394{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.390{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.387{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.386{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000102587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:04.383{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.525{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.518{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.503{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.484{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.467{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.446{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.432{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.425{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.418{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.413{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:04.412{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 23542300x800000000000000039777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:05.652{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2750A2F8E895927C98857BF3C9004A87,SHA256=497877427FFE8171C355B204540FC4345357F1C87BF6FF936769B75038B11539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:05.144{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3F1DF77DCE039F813A09A9302F2C3C,SHA256=761926201466FAE72113CCB2AEECB1313C59DADF56CBF2707525C899EBAC0951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:06.747{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D0363814371A405BF1DCB8EB85555C,SHA256=CB0198906E4487D9106736467FE84D5758FE0EEB0A545367115C68916C28EDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.547{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6EDDB5EF8133E717646B6AF1DFCB72,SHA256=E65DFF9D2E826C5A89CC38D3EF7C099515837B25604F9DE17223E348090F3E3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.013{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.012{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.012{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:06.012{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:07.837{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B73E018022DE62296FDFDD902C0BF19,SHA256=9668F2E6E26A5D29AD5A884D1CA37FC8AFCDE849F19D9E7565D85D985CCBF434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:07.826{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:07.826{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:07.826{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:07.812{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:07.565{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AE3F7E2695B27AFEF769954AC7BCA5,SHA256=625F1852F90C067F96B69583A46A3611F91002B957C2C1F85A8D4C8C89ED1DB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:07.173{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:07.173{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:07.173{7DAC9CB3-BE89-63BE-1300-00000000A702}9321556C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:08.927{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E881A8CF7BC03209CB5EBDB4F99F954,SHA256=650D4EAAAC98E0A01946A32FA22E61FF8EF4F778A55DE763729207042B7DCCF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:06.854{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49990-false10.0.1.12-8000- 23542300x8000000000000000102642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:08.975{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A89FDFCD19253D5068F7AFCC31307689,SHA256=A2C2B66BBA8FB2E7483BD6D380005D2027880095AF06B4CF965D2B92D05CAFF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:08.925{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:08.925{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:08.660{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885105DDDC3CFFE0ADA6B3A01052B5E5,SHA256=60C5FF2689FCC2BDB41DC4ECE67DF3FD253063B6AB144FD0CBF0277FADA07A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:09.758{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B2124F571CC6B1FA2F9400BF4C12DA,SHA256=AC020C5BA9B99D41372AF767DDFA08A9F958AEA375711F12A433175E67721397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:09.336{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.837{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4160979C171726F1B7B9B7B9AABC92B9,SHA256=BA03277C67DC0FC3AEC20792DDA2FF432243E8828CB951268D79CA5698FE05D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:08.917{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49991-false10.0.1.12-8089- 23542300x800000000000000039787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:10.026{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95904C3729D915D548CE6EFBE517F27E,SHA256=54865F933141766E84730A25E834770A70066A5ED50BF058C0037066C2078460,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:08.958{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59562-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.353{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4f465|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.353{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4f37e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.353{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4f347|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.290{7DAC9CB3-BF8E-63BE-A600-00000000A702}45804820C:\Windows\System32\taskhostw.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.290{7DAC9CB3-BF8E-63BE-A600-00000000A702}45804820C:\Windows\System32\taskhostw.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.275{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405396C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4f465|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.275{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405396C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4f37e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.275{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405396C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4f347|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.259{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405396C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.259{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4ede0|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.259{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+122b80|C:\Windows\System32\SHELL32.dll+4ed9c|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.259{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4ed70|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.259{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ca69|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.244{7DAC9CB3-BE89-63BE-1600-00000000A702}13001396C:\Windows\System32\svchost.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.244{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.244{7DAC9CB3-C46E-63BE-A901-00000000A702}62565520C:\Windows\system32\conhost.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.212{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23443600C:\Windows\system32\csrss.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23447124C:\Windows\system32\csrss.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.197{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50406264C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+7664b|C:\Windows\System32\windows.storage.dll+76361|C:\Windows\System32\windows.storage.dll+75fae|C:\Windows\System32\windows.storage.dll+77250|C:\Windows\System32\windows.storage.dll+75cfe|C:\Windows\System32\windows.storage.dll+9ccc5|C:\Windows\System32\windows.storage.dll+9d044|C:\Windows\System32\windows.storage.dll+1f85b4|C:\Windows\System32\windows.storage.dll+63ffa|C:\Windows\System32\windows.storage.dll+63d52|C:\Windows\System32\SHELL32.dll+a13e9|C:\Windows\System32\SHELL32.dll+9ff96|C:\Windows\System32\SHELL32.dll+92739|C:\Windows\System32\SHELL32.dll+536be|C:\Windows\System32\SHELL32.dll+170400|C:\Windows\System32\SHELL32.dll+17c11c|C:\Windows\System32\SHELL32.dll+19eb3c|C:\Windows\System32\SHELL32.dll+17c2b6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000102644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.198{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000039824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.990{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6047DA9C7B6F1D0E8E858799681E22A9,SHA256=ED368141AB9A976165CE175CC8E2FC272323C8FAFF02FACD3DDF9281FBFAC937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.973{3EE3745C-C46F-63BE-4B01-00000000A802}4122776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.828{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.828{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.828{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.827{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.827{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.827{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 23542300x800000000000000039816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.772{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CDACBE7C87E9C8E5A85902CA6395AAAD,SHA256=DA31DE7A82B79DA4DB7D585721684C3B061E08414D7FCAAA983645E0E178BC6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.628{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.631{3EE3745C-C46F-63BE-4B01-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.144{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B47EA2BD1B2D7D58C8956E4D032E1B,SHA256=C4E5ADA9450C0644D172DF824836C86CDECC9BCA4173CD9369ABD9D1F238D046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.278{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA4B9D747D9436CAFB9080AA5D04DC44,SHA256=74BE85204DFAF7489DD4ED42E51BDB2FF54F229D7DF8A461DDE94D343195A4F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.020{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.020{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:11.018{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:10.994{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x800000000000000039801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C46F-63BE-4A01-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C46F-63BE-4A01-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.050{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C46F-63BE-4A01-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:11.051{3EE3745C-C46F-63BE-4A01-00000000A802}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C470-63BE-4C01-00000000A802}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C470-63BE-4C01-00000000A802}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.457{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C470-63BE-4C01-00000000A802}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.459{3EE3745C-C470-63BE-4C01-00000000A802}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.239{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB6A2D74A178747B92ABA81217A770B,SHA256=FC25F3614887C491AA4FB02D5455B01170EFDC38BCDA676E7E26F6CE07FD7587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.192{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87DE85201534B5E5F35F8B40471BA26F,SHA256=148D55990899279C650531B894A9ACB0BC326333FF27D3B73E056327E403A036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.247{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.247{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.247{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x8000000000000000102680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:12.040{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B95DD7926BDC9512BC8EDD0B04C36D6,SHA256=B3AEA8C82413B4DC5195A88897251CE872F3141148F65F4AA5130FF1180EA230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:13.344{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0066712347901227D8AD8FD7D3621AAB,SHA256=7BBB7BB41011138F90E503E54A42813FC55F96EDD2A785FFDFC64F5C4DC10AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:13.099{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D0062EEBA4056A0B5729E0DB8CDB69,SHA256=D347A77D898E36A532F5B6D039C5E65CFF9FAFF66DD9A4F48F6F3C111A40B98E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.966{3EE3745C-C472-63BE-4E01-00000000A802}7161872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:12.753{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49992-false10.0.1.12-8000- 10341000x800000000000000039874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.765{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000039868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.686{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.688{3EE3745C-C472-63BE-4E01-00000000A802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.436{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B4FB219B97E94C4467BE693BB60370,SHA256=74A66D7D3DE73F75D38AD510A284AAB90D65A8E02A4FB25AE9D2B5F170D025A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:14.185{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAAFA5B9EC23AA4A874C3053911893B,SHA256=27D69F561D19FC2144F1FDE039E2088DC035FE11F1D2CC065688EE13A9D24DD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.313{3EE3745C-C472-63BE-4D01-00000000A802}1848436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C472-63BE-4D01-00000000A802}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C472-63BE-4D01-00000000A802}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.027{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C472-63BE-4D01-00000000A802}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:14.028{3EE3745C-C472-63BE-4D01-00000000A802}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.753{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E44023631CD6C2AE39BE46C183F9283,SHA256=7B00699F00D88525A1F46E4B98501F893791C9F71A853C3E15E0C6286230F020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.479{3EE3745C-C473-63BE-4F01-00000000A802}3882024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:15.994{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:15.289{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6500A0C1503A4302978094524B4DCAF5,SHA256=CFC14A7BDB6AA0368E14A03683EA5F44FC3FE6392D1393F2EBE8B81F02A84F77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C473-63BE-4F01-00000000A802}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C473-63BE-4F01-00000000A802}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C473-63BE-4F01-00000000A802}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:15.261{3EE3745C-C473-63BE-4F01-00000000A802}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:14.859{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59563-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:16.394{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372A4C820243521010746F7F4550B89C,SHA256=04CD599467C4804B71AF886D49E663518BEB9A8E231BE3BC9ADBFC905D9C6726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.740{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA318C2B0CE5AC663184E8BD27A58D7F,SHA256=F535C88F08158F705BEBCC259B96A3B46C4BE2CAA9339A5BB6C647475C8DA805,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C474-63BE-5001-00000000A802}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C474-63BE-5001-00000000A802}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.584{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C474-63BE-5001-00000000A802}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:16.585{3EE3745C-C474-63BE-5001-00000000A802}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:17.844{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08EC08A0BAF2D3D95E78361E885949E,SHA256=4BA014AC1EF86BD3E320E644C164D50DF75932B6CB97A08AA51E7E5577F5A59A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:15.787{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59564-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000102693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:17.495{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B57D4FC3B9D2122F847A46942670A4F,SHA256=EE663408677F8EFEA93645312C19A9BF07E7B4D73704AEA755B83FFA3A7471AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:17.637{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B54A27ABA1BD74164E7DC9734D244275,SHA256=910551866B0ECF30D5A5793A86A4E2C00E4C348814733C16A2DEBC82DB258A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:18.944{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADC2ECFCD04864FACF6F79E9C27102A,SHA256=F46D25822C29E258ED1B5378A0D7834619FE47F3133A5E63C5D3DE9C47FA92F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:18.593{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB99EE900D792FBA120029466BECF81,SHA256=BA31789A52772E3368196C6051103486D77EB8E73145BF267AF8A89F82C0EED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.922{7DAC9CB3-BE89-63BE-1600-00000000A702}13001396C:\Windows\System32\svchost.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.907{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.907{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.907{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23445656C:\Windows\system32\csrss.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.891{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.891{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:17.913{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59565-false169.254.169.254-80http 23542300x8000000000000000102696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.688{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1CD6BB6A071D05C660EFCA63A922F8,SHA256=2EB5021923A534B0A6D6877FC8C466B34A035F9292A14F765A6C30E886AC129A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.994{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B7F48D8E178C714634420CA05D6B7B1,SHA256=0FF71C12BCA433E74C3F8ACC5365ECF305E95638681EEBE4C2F4C2AF3E7AF485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.888{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6347B144480D0AA772B1D22994AF97,SHA256=93FDC93625EAD2F4C61FC5EF8DE96E93ECBC41800A737E7462E3AC4AB7BB0244,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.413{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50406264C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8d3d|C:\Windows\System32\SHELL32.dll+2839ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000102710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.412{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50406264C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8d3d|C:\Windows\System32\SHELL32.dll+2839ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x8000000000000000102709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.401{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.401{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.400{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.399{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.399{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:20.399{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 354300x800000000000000039910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:18.651{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49993-false10.0.1.12-8000- 23542300x800000000000000039909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:20.046{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB15C7C484F72C18377A94560409EA98,SHA256=FEDB83C5AC517E715E2B305C7C5476EFC5DA22773F86C084E864A44ADB3733AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:21.253{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E01B5CAB8F9D5F0D3276B966EDC0DED,SHA256=763887960E824274869945ABF8125E2FE17E199AC390881AF730126163A9BC50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.905{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.905{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.905{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000102743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.780{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.778{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.771{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.769{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.760{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.751{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.746{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 354300x8000000000000000102736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:19.986{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59566-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x8000000000000000102735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:21.560{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c7-0x23ed1c31) 10341000x8000000000000000102734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.252{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.239{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.231{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.228{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.225{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.185{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.177{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50406264C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8d3d|C:\Windows\System32\SHELL32.dll+2839ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000102726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.177{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50406264C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8d3d|C:\Windows\System32\SHELL32.dll+2839ae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000102725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.176{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.169{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.143{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.123{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.113{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.092{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.082{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.069{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.007{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:21.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x800000000000000039912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:22.456{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D6F34A7158DFA44C1EF88E8DDAB8AC,SHA256=65715A17722736A5708ADA5B4AE31CB24521734A7AFD63CF66DC98B3FE466C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.410{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9EE20AF595A3B609042B945E2200AA,SHA256=8ED2188767990DDDD327C2CCBD1517690997C7CC75AF72C4ED67E631AA824635,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.315{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4f465|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.315{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4f37e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.315{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404648C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4f347|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.300{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4ede0|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.300{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+122b80|C:\Windows\System32\SHELL32.dll+4ed9c|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.300{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4ed70|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:22.300{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ca69|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:23.556{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05BEA5C495FB105545C9D738E251A14,SHA256=016F67F2371DB00A501331E3609DF03969073163DA3A0B64BFF691E051573FAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:23.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:23.801{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:23.799{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x8000000000000000102755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:23.359{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A786E030B14383FBFDE8D7600B39DAB,SHA256=ACB763DC1D36B8101682B65E829CBC6CC83C375F75D893D9211E5B4D9D9A3D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.638{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF6E6B7572871CCB1D18598DA58CB57,SHA256=EE0CBF0CA88F729D0594E59FBC3423FEE3C853A47CC77910B92F81EC18450EB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.634{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.629{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.627{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.624{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.623{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.620{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.618{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.617{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.615{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.610{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.597{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 11241100x8000000000000000102831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.736{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000102830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.736{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FB4E82D58E003A3A7CF7036A41C0B9C7,SHA256=2EA38CF1A1908556D337EA86049A22464139A69ABEE1929E600998A88D0B1FFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.725{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C477-63BE-AA01-00000000A702}6280C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.716{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.716{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.715{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.714{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.711{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.711{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.710{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.710{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.710{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.708{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.707{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.707{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.706{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.706{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.706{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.706{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.705{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.703{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.702{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.702{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.702{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.702{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.700{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.700{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.700{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.697{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.696{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.696{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.696{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.693{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.693{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000102794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.689{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000102793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.667{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.667{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4637AD3486D15BDA6CA7FFF1312457C8,SHA256=CCC69E02715C83C7FA7982A613633A3465113179F81502ADF10BB062945912A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.635{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.559{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.446{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.424{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000102787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.396{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x800000000000000039931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.592{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.589{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.579{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.568{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.561{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.539{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.524{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.491{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.484{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.474{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.461{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.453{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.446{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.436{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.426{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.414{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.405{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000039914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:24.402{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 11241100x8000000000000000102786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.357{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2023-01-11 13:50:15.890 10341000x8000000000000000102785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.357{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000102784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.357{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSYSMON TRACE.etl2023-01-11 13:50:15.890 12241200x8000000000000000102783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:24.357{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000102782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.354{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 12241200x8000000000000000102781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:24.354{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x8000000000000000102780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=621389924778B719199FD3108552F19AF37A0B4417429B0825E107AB5CD94B0E 13241300x8000000000000000102779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000102778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local2023-01-11 14:15:24.276C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=621389924778B719199FD3108552F19AF37A0B4417429B0825E107AB5CD94B0E 13241300x8000000000000000102777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000102776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000102775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000102774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000102773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000102772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000102771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000102770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000102769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000102768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteValue2023-01-11 14:15:24.276{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000102767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.257{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-C46E-63BE-A901-00000000A702}62565520C:\Windows\system32\conhost.exe{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23442368C:\Windows\system32\csrss.exe{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.178{7DAC9CB3-C46E-63BE-A801-00000000A702}57965536C:\Windows\system32\cmd.exe{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:24.134{7DAC9CB3-C47C-63BE-AB01-00000000A702}6556C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000039944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:25.739{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEA58C074EC98CB9FAE73B9505A8A0C,SHA256=9012E2659C015EAFC9FC371DD83A0214187BAECBB94188C9AC284AE2F9BD12E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:25.574{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:25.574{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FB84EE3CC59E202D168FF175078507,SHA256=DC92B3E4CFD3A1650CFE1D48ADD190E219133F272506F703106632CFC56B1DE7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:25.320{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000102832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:25.320{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 23542300x800000000000000039946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:26.957{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CD80CDD3678AAA6D1A0824B90CE7C7,SHA256=056436DD187B4ECF09F2BE08605D77EB80A0F6BE879A07FCF0603D21045BBF18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:26.659{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:26.659{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493D216B3001391054351C9F89585FF9,SHA256=91621429B07FA1AC41C0090869615284A183BDA52B4E3C9B2AB32D658E7C0EA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:23.722{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49994-false10.0.1.12-8000- 11241100x8000000000000000102841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:27.741{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:27.741{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B860568ADAAEE33FF34EEF77D9B920,SHA256=2B492640C56161E5AA9B3B9929B1D72BC7E555F57283E84DA353C221A2489E5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:25.903{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59567-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000102838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:27.647{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:15:27.647 11241100x8000000000000000102843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:28.841{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:28.841{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4E88AB182170E5ACCC650600230D04,SHA256=D51440CA722268A3D0DF7FC9B95E8B661C13D4924C47D95DEF9C0669C9CD07B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:28.271{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C4C33F9E3F3A2A2732D5BDBA7CCAAD,SHA256=F45E583A6F975FE4161B36922B0779BBF332F54C98F830189956774D61B75CCF,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000102896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:29.940{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000102895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:29.940{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000039948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:29.375{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D970E17E9DE5403196B8591DBA61E81,SHA256=718D799BE65D5761D17EED5CAF23726B03A846D7F022632D7FE2029E78EA7605,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.546{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.546{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.546{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000102891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.186{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.171{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000102858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000102855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000102850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.155{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.156{7DAC9CB3-C481-63BE-AC01-00000000A702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:30.476{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF939EE2D033BE8FAA1F974380D3576E,SHA256=B07998BCB7DA10DAE36035DAFB965F071CB828FD2C5F9E1FD8CF8985118B6FEC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.845{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000102947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000102946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000102945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000102944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000102943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000102942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000102941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000102940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.829{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000102939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.813{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.812{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000102926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.811{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.811{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000102924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.810{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.810{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.809{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000102921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.809{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.809{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.808{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.808{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.808{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.807{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.807{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.807{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.806{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000102912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.806{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.805{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.805{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.804{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.804{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000102907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.803{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.803{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.802{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.802{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.802{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.802{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.802{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000102900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.316{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000102899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.316{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=726223AE1A0B41AB5A62B08834E845D2,SHA256=F64E9B57B1A11522BB88B6B87485F69DCF66C8DE23042584A4EA78AFDADB221B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000102898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.080{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000102897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:30.080{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615DD91A62713AAE8D5593C6FB903E8A,SHA256=C6D6BD8A8E1DAFCEB4FF826416F088A90583ABB106D5CA1CAE2B667DA1B15381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:31.570{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16972A01117324DF7C343D0864D25F4,SHA256=A49312494FE81AC68C9B22440F715E8A8E0D078982FAD71D7E7AC1C30CBA6B4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.975{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.975{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285F164CE0CF082CC8838962D7660BC8,SHA256=80C441BD475471EC37E71768AF8F856A1D279480F00DE1754BB7B0ADA9B1520C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.913{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.913{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.913{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000103016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.857{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000103015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.857{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F03EF6988971F0950F6E4CB6CA5B9B9D,SHA256=E66AED0F116277857C6735A998ACE4823670AF0FC021998BD5389A4D3D93E9E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.842{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.842{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.842{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.841{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.841{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.840{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000103008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.677{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.677{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.677{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.662{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.662{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.662{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.662{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.662{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000102999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000102998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000102997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000102996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000102995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000102994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000102993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000102992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000102991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000102990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.646{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000102989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000102988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000102987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000102986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000102985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000102984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000102983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000102982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000102980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000102979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000102978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000102977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000102976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000102975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000102974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000102973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000102972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 11241100x8000000000000000102971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 734700x8000000000000000102970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000102969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x8000000000000000102968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DA1BD45C238DF9FA4087CCBE0483BB,SHA256=EDE80D468FC348459BEF40CEE9E90C7435B608E32BC95D204F72465CC4D671C2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000102967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000102966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000102964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000102963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000102962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000102961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.630{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.631{7DAC9CB3-C483-63BE-AE01-00000000A702}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.749{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59568-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000102953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:29.749{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59568-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 10341000x8000000000000000102952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.080{7DAC9CB3-C482-63BE-AD01-00000000A702}71605664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000102951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.080{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000102950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.080{7DAC9CB3-C482-63BE-AD01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000102949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.080{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=53D1614E8F381EAD42F26333DA1D228B,SHA256=D0A892DDC5734A807C5B74149A65D2E6A6AB75D0DF171170C55106FC84B0E044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:32.670{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B792DF7842C5292004167BFAB740228,SHA256=CFA3943D7A569CE11E4E57A900BF6848816765866149B502789F58D08BB7A311,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:32.211{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:32.211{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EED6FC835EA71FF232FD351C1639E71,SHA256=FFF8F52DAD88A7C11901F73099BBB0B613B4B70C5F8ED2CCE3F8DBD4C518C414,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:29.629{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49995-false10.0.1.12-8000- 23542300x800000000000000039953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:33.771{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1607E8C60C99AC02369F78FE9681DB,SHA256=1BD838F15CC76F6AE6A4560A1150F192ED3067F8E2126096D3390F8107EBDA57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:31.815{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59569-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.432{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.432{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D761EB03E85F3FC7625706019D27D319,SHA256=484D6DFEA2359DA84D2403E33D9F69BEAB26FD7452CC98D50BEDB13A1BF2D4FA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.417{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.417{7DAC9CB3-C485-63BE-AF01-00000000A702}54566300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.417{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.417{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.229{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000103030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:33.214{7DAC9CB3-C485-63BE-AF01-00000000A702}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:34.866{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8E075D284F2D6049896FAE1180C9D1,SHA256=42F411122F2A7B285185FA498C6A060E629516B89FDA19A01A333DCDB786758C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.871{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.871{7DAC9CB3-C486-63BE-B101-00000000A702}70244728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.871{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.871{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.730{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.715{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 11241100x8000000000000000103158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 734700x8000000000000000103157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 23542300x8000000000000000103153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAB1A1ECA2716F4DB47CA9A93EEA79A,SHA256=BAD9385BE4022059D4C016FBF9AF21838B5AC935040F6BC4A0CF4B80DCC5121A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 10341000x8000000000000000103141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000103136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.699{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.700{7DAC9CB3-C486-63BE-B101-00000000A702}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000103129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.416{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.416{7DAC9CB3-C486-63BE-B001-00000000A702}2124548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.400{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.400{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.212{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000103090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000103084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.197{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:34.198{7DAC9CB3-C486-63BE-B001-00000000A702}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:35.829{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:35.829{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F7FEE70193C229818131D510D2B755,SHA256=F4FF5E1F97D4115EA385615C3B45DFDCDE330B96E6B0F580E99869C20A2DA64E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:35.829{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000103183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:35.829{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=671139263315EF7D7CF040CC0780D766,SHA256=A4732D95B71235A999D6FFABB87CB8AF0E80FBC743707F7356A14E4BBB0E0074,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.984{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.984{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107433F02BDA0417D202E763EB209847,SHA256=B66ACB1CE8385341E55EDBB0DC4D033CF2159F05D3DD7D1FB63E9A04DD2FBE2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:34.636{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49996-false10.0.1.12-8000- 23542300x800000000000000039955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:36.071{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E20A2735FAE13CE852CA1A7F9C52E24,SHA256=D686F93452BD5DF80AAC383C91E872CAF356E1DDB06595B4CBFB928BC7FEE3F6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.747{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.747{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.747{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.509{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000103219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000103198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000103193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.494{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.495{7DAC9CB3-C488-63BE-B201-00000000A702}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:37.179{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884052510B0A46D1A9659D6F49F78046,SHA256=2DE10A710EA4AD2053FEB1238B9E7853A2810BA51B697F29293FECE44DC66BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:37.117{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-024MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:38.379{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15C6A041FB8A57E37150D5800AFFF93,SHA256=2F71AB1FF9B0C375DC779045A5493F932F48A433373DFD7B2D183E1068353FF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:36.995{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59570-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:38.075{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:38.074{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D06910622614F6A449399E3CACFBDA,SHA256=319516CDC906CBAFD6024A8D50BE43E1CC2741C6C5F0143EA37F4DE255A2E13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:38.116{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:39.464{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4D911111F4F7A69262EBCD127C596D,SHA256=F8CE262330C0D61A090E8225D78327B877B6DF9E927F0F9ACA1FB066231F80E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:39.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:39.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBA04920BA63AB79382BC06FB41BAA8,SHA256=D22BDF7E8E3C51227138129A22D71316200F5872230BDD6D969C8CA99AB6E40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:40.548{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5220C6EDCFBF5A112536B8313927928,SHA256=F28123BF8C028AF153BFF3CA3E0232200E6ED9796686E670E13F1CA0FB704AD4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000103257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:40.625{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\EA515421-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_EA515421-0000-0000-0000-100000000000.XML 12241200x8000000000000000103256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:40.625{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\EA515421-0000-0000-0000-100000000000 11241100x8000000000000000103255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.625{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_EA515421-0000-0000-0000-100000000000.XML.TMP2023-01-11 14:15:40.625 12241200x8000000000000000103254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:40.610{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D 13241300x8000000000000000103253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:40.610{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D\Config SourceDWORD (0x00000001) 13241300x8000000000000000103252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:40.610{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E34D479C-2C49-4090-9B4E-1002E376DD7D.XML 12241200x8000000000000000103251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:40.610{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D 11241100x8000000000000000103250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.610{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_E34D479C-2C49-4090-9B4E-1002E376DD7D.XML.TMP2023-01-11 14:15:40.610 12241200x8000000000000000103249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:40.610{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.610{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.610{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000103246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.375{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.375{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13918227891AE5918A57CC76A2127829,SHA256=991B2A0CDAF3E6106647030C37517B6DA3972FE959305D9900CA7FAF47C99752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:41.632{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480E3E755C61FF682F73D0730FD30A5F,SHA256=A089FE3D3ADE67179FE3349DE146A9B373CCC13A749805FE5422FC37524D616E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.909{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.909{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6154A19ABCE2E855514D1AA545C691,SHA256=34E8E5D93157E26891371EDDDCDC7EC14C33BBE9932C797CD61A7385021CC25B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.879{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.877{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.871{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.868{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.861{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.857{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.852{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 354300x8000000000000000103282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.421{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59571-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local135epmap 354300x8000000000000000103281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.421{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59571-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local135epmap 10341000x8000000000000000103280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.455{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000103279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:41.451{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.451{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.451{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.332{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.317{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.306{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.302{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.299{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.296{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.237{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.226{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.198{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.183{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.163{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.148{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.136{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.127{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.119{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.013{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x800000000000000039966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:39.791{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49997-false10.0.1.12-8000- 23542300x800000000000000039965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:42.722{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001C1962BCB9A34170E0E3A0F0E29C23,SHA256=E01C42779A147BC0397474A9C75BF2960375F7D116A028DD31FBBA2B5F26AD83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.255{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59572-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:41.255{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59572-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.439{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:28d1:2354:dc4:ffff-51830-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000103303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:40.439{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local51830-trueff02:0:0:0:0:0:1:3-5355llmnr 11241100x8000000000000000103302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.523{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000103301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.523{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5675915DE894D7481CBA6072FCE1036,SHA256=9217B802CFEEB5603ACA329AB96ADFB6A03E1144B20E2F44BD3220135AC8F25D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.507{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.507{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E54AE107E3EFDA72F9D55C6FE96389,SHA256=C8DBDA04957462482E939A294397BFDFBFCB867A82E1FE5CCE12D170669F43E3,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000103298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:42.459{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.459{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.459{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:42.133{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=26ABC7D74530DDE7C77E7ADA4CF42536,SHA256=C63EE50C078FB5E31F02FDA45625A8B7B4EF4B51A817393CD6F014E5988439E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.285{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000103294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:42.285{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.285{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.285{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:43.907{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:43.906{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:43.904{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000103310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:43.498{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:43.498{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A493C8182CE778998DA52419E7AC45BD,SHA256=781313A4777F007DEEDFD5D53A5D48E9D071F5018EB3024BD8F4BF2B5E055833,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.094{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59573-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.094{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59573-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:42.928{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59574-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.598{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.598{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BC0E80599228B4AF9D78BB7C58C703,SHA256=5EF00B0DAB72501848A16AE94B8567805E5232A9CC81420DE6D187FA5AE651CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.525{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.524{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.522{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.520{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.502{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x800000000000000039996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.588{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.585{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.582{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.579{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.579{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.576{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.574{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.572{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.570{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.564{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.556{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.551{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.547{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.540{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.531{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.527{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.512{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.502{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.473{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.466{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.456{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.449{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.442{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.436{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.427{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.420{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.412{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.404{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000039968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.401{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 23542300x800000000000000039967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:44.045{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06B323C107CB3870ED1FCEBEDD3C0FD,SHA256=8F44EF1C7AA4670A9C6AC0D2810B28D41434E1C2F8D2283E4E444DBD0C43E320,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.487{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.452{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.445{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.435{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.431{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.429{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.426{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.423{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.421{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.420{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000103314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:44.417{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000103365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.884{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.884{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8749539B5684A9AE7E373699DD1B9F,SHA256=FBA20D11C7C58EE967A5CED59F620383B563D4420B774493A2D1545CB1D882C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:45.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC63D1C311685160DB3F08988883296E,SHA256=15F055362FBCF0550125EDE92BD87DC4372C5D9164039C463904224BD6726E79,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000103363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000103356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.023{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.023{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.023{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000103353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000103342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000103341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000103340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000103339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000103338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000103337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000103336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000103335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000103334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000103333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:45.008{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:46.440{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1878A50B2DD10B399D4C13078C702A7A,SHA256=98B13D045EFBC08968795454907E32A8D8246D98E73665B3C10A0F08459E0795,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:45.707{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49998-false10.0.1.12-8000- 23542300x800000000000000039999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:47.527{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2D338B9CB7426728B390D588D9D1A7,SHA256=185CF8B7C45D0584545466AB9762CE84553433ADC193528CA1BF0797C21604C9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:47.027{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:47.027{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DC0DA4ED78113DC63AF1F6E80C9BC1,SHA256=6C7D7CE3E3C8E8FE6255E106D63336D9A368E9DAC114B67839709972D4949D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:48.609{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4245194FA42CDC546E6B2D71A80521A0,SHA256=7E7DDDB216388A550225377A84B1B5EE080A15BF8F8D9BB35B0267980FE3C93D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 13241300x8000000000000000103407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x8000000000000000103406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x8000000000000000103405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000103404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000103403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d925c7) 13241300x8000000000000000103402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x3433c05c) 13241300x8000000000000000103401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d925c7) 13241300x8000000000000000103400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x3420aef0) 12241200x8000000000000000103399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x8000000000000000103398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x8000000000000000103397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x8000000000000000103396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000103395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000103394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.866{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x8000000000000000103393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x8000000000000000103392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 12241200x8000000000000000103391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x8000000000000000103390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x8000000000000000103389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x8000000000000000103388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 12241200x8000000000000000103387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x8000000000000000103386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x8000000000000000103385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x8000000000000000103384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.851{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE84-63BE-0100-00000000A702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97e62|C:\Windows\system32\kerberos.DLL+79f68|C:\Windows\system32\kerberos.DLL+1451f|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000103383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x8000000000000000103382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.851{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x8000000000000000103381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.741{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000103379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000103378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x8000000000000000103377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000103376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-661.attackrange.local 12241200x8000000000000000103375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x8000000000000000103374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x8000000000000000103373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000103372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.741{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000103371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x8000000000000000103370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:15:48.741{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 11241100x8000000000000000103369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.131{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.131{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4992A682319AC66939F48E7E5C354A2B,SHA256=91BE68CE401BCF5CCE8137B9A24ACE62C82E9BF2944B0E98B7DBEF67A4209EDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.663{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59577-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local445microsoft-ds 354300x8000000000000000103417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.663{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59577-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local445microsoft-ds 354300x8000000000000000103416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.563{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59576-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.563{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59576-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.554{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59575-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.554{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local59575-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local389ldap 11241100x8000000000000000103412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:49.881{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000103411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:49.881{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40B8EC27A939ED978D932C4FB5982EE4,SHA256=805C1B875289CB04DBED4659158B31932B7071B4A23004CE1AE56A430B1E82B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:49.772{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:49.772{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD878E379D95523A0DF8EB7353F577FB,SHA256=C0E9BC620D40C9DF72DA6E774D6A4912DA6EBAA55741DB9712637334E5A088E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:49.710{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C3F44F7C17954F4D52CB7BAAD8C5D0,SHA256=92CCB7A1B9115A72701C60EFE005B8C7AE9B8E5A0044058DFB831C0B5351D47D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:50.883{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:50.883{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0FCC1D614AED1DE76602E57B5D9947,SHA256=B703BFA1F49EB64B6FC9B163A4B509A0050E543030DB219C77C29240DD61333C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:50.818{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68032C2BFB2D091C693F3F5EE6C125F0,SHA256=3D4ED901BC065D65D41237B2E29F71053B1434E033761E39A4F59DA32DEB6FA5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:50.570{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000103419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:50.570{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3085BE375F2251E1D0F6E336E7E27EAE,SHA256=46B6EB48BBB7E2E5B3533A469C2305D5AD043990D967B054933A65E35C8A4912,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:51.970{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:51.970{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526A9B0FF7D0E1A4E2B825C763304F40,SHA256=AEF2F899B55BD2556B1C19A656E2CB3C348686DCE7DC5B6BC4CEA611DC41B034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:51.896{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095CD2F3EDAC346AC019381933D9F2A9,SHA256=5D8A72A6A579F104BBFDBAF5782C099791ED739E106FF0119F17D4026CC2CCD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:52.985{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D40BFBA0CE91C6C53E270267B50875E,SHA256=B7FE61287292FC5B31F7FEB708AF7467A72D286D7C027671E43216CE14725517,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:48.863{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59578-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:53.084{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:53.084{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FCC16495B4B5506B81BA5190514F50,SHA256=05C0B432F6FDA8AC4F3ECC1A9AD21D3E8FA4241DF706B532882700FDD5BA487A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:54.563{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-024MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:54.562{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0242023-01-11 14:15:54.561 11241100x8000000000000000103430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:54.560{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0252023-01-11 14:15:54.560 11241100x8000000000000000103429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:54.184{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:54.184{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1C6E7A4421BF9C8221B8484CEDDAE2,SHA256=0A99E51C501399AC052DD10122EF497BC35A375E86DD7DF015C9754F99500450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:54.086{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B240F67B0920A5615C547341BAEDC6B6,SHA256=1E73BD17E54164E231328351D5FB6242ECF1E79E42EADACBB39BFE0BBFF97918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:55.572{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:55.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:55.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6802FE1F46AE7D7CE5BB964AE2245587,SHA256=709505FE0EE8B0DE347FE9D178F1E9E9E4FC6A5E7F57F90702E873DF190E9064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:55.173{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE63295749D55F64A640274ABA795AC,SHA256=563E2DD9B1FB6516378CE44AD1719BAFBBBDC1213CC7FD47E5DA5FED8AF2F189,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:51.682{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal49999-false10.0.1.12-8000- 11241100x8000000000000000103438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:56.370{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:56.370{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE68BA600C80C8A7FFD55E398CBFB8F,SHA256=3B3530096EA6E9A27F800BA68392DD2F3FA575EC3B4577D35DD43BA69FA55963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:56.275{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553C75261300FFA0DF2A4613CD28F4CF,SHA256=7CAC043AE24104399049AE05CE31A93F9B588FE382F281BC88B0257269BE62D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:53.962{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59579-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:57.652{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:15:57.652 11241100x8000000000000000103440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:57.459{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:57.459{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07A021F6B0D94EBF73C9751827EC927,SHA256=46063D18DABB90CD072388206EBB552460129E49C24C3AFE5805C1CF834D7476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:57.976{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5EA84DB80D5E8C7580FB6577B34981CE,SHA256=BE4B103A23E4DA414DBB175A7354654A14B16867ACE229D625A2AFB870906897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:57.373{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001236614B03EA7B715689C61BDD2A5A,SHA256=CAA802E2A6CC178FCB9786FA6E9068FB2BA555EEA56BEC72F9C1393794204F33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:58.560{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:58.560{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD280FCBEBA5FB0AA033796D543ABB32,SHA256=3CABE657266B7C165A9A4F26428386A245090EDB095D89A9AF43D2BAC8E0E750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:58.461{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA30FC86FF5737DDE23EC2E3B22DD3F,SHA256=112E745C69A464B72D2129BB080B8D448748B02D243EE1560FE440420D55FE4D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:59.669{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:59.669{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC309E353CC0071C38330A93E8190A68,SHA256=C0BA3ACDA8F316B06F4BC8DA13889E34CB8F9096FCBF23C454AD82EBBBAE6187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:59.566{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C0EC17700E591FEBFC999845C9DDE0,SHA256=B97CF93638473B366485D02CDD2AF12ABA43C310D5BECB3E8C55EBC6EA8B7C4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:15:56.828{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50000-false10.0.1.12-8000- 11241100x8000000000000000103449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:00.772{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:00.772{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E904B0B792C8FDA2332735EE899FB34C,SHA256=82E414AA3C3122B5B625490A9206CDDE5AA487EBCBF544C0ECD8121DE41DB172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:00.657{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3C72A050DE38A5E3CC44D8E1DB394A,SHA256=6A5F1301823FD30FA14635ECEB124F646FF6240AA8971EEA66EDA74C0F36E4C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:00.665{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000103446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:00.665{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8132219C2815E9D79D45A628CE4DC237,SHA256=2853EB4F550D49BA1EB74BCEA785EA15216353809CE372185D7B0122A269D7F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.808{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.808{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB77290455CF38F788FA1E2D12774F5C,SHA256=2423597B54AED332D1B80D9683376706B3C40C3E9853A112A1FF9B38798BC2A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:01.748{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B0B095780112FEE3B150309CCDDFE6,SHA256=7E91B509B1EE614F2A92039CB32DDC6C67636FA86834713E3CFC53F774E78EDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.374{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.348{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.338{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.332{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.326{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.324{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.259{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.249{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.244{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.207{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x8000000000000000103459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.207{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=99536E90C47300013FFB11670B7CFA23,SHA256=ECED7F3D6159F4A71D4609DF1C71C19218AAAC3F4C22309C7B5AFE539E593F60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.192{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.176{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x8000000000000000103456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:15:59.050{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59580-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000103455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.162{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.113{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.100{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.020{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:01.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000103483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.891{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.891{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72E7D553C3AB231FE3E14B65C04C81B,SHA256=B7A51A570B7CAE671FC9D84FB355F655A7FA46422421835941D1DC91499BED02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:02.828{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77F4CA12F50C3CB0ECB313101A0039F,SHA256=D54CE71280769A456856B104CC9C8D7304714C910B7DAA8233956E7FB2760089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.141{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.139{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.128{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.126{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.121{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.119{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000103475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.116{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-11 13:50:01.763 23542300x8000000000000000103474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.116{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F9CDF7EF0799BB0FC3945C1D6E82F986,SHA256=F65E40F6097F401307EA85B0161FCA95604FA1AE84F508582540D0FEE7D168B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:02.115{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000103485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:03.988{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:03.988{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B96F00D135A8679A895228BCBA4006,SHA256=3098DAD7F6D3EE11CC67855FB444CFDE4DA31E6AEF85BA001F6EE1FF91DF17C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:03.919{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4B85D20AB037C669F3E8E5D91BE020,SHA256=188D9486305E544EFD5DD0C85A506440BFDB1025BFE368865996F0BAD925FCC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.809{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.809{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.806{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.804{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.785{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.769{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.728{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.717{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.705{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.699{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.697{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.694{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.688{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.686{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.685{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.681{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.165{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.164{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000103486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:04.162{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000040048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.851{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.844{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.836{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.822{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.821{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.817{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.816{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.812{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.810{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.804{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.795{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.788{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.783{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.769{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.745{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.730{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.690{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.667{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.611{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.585{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.546{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.532{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.520{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.488{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.460{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 354300x800000000000000040023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:02.812{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50001-false10.0.1.12-8000- 10341000x800000000000000040022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.440{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000040021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.433{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000040020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.422{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000040019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:04.419{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 11241100x8000000000000000103506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:05.085{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:05.085{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DADBC13F4ED6FF5959470C8E933D12,SHA256=2491D1AC2BB47BE343AED706E36569EB384A050A244294ACC038EA27CF174814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:05.437{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE202A0EC74DA343104ED12C358A0CB4,SHA256=4F81C5562DC55D1F6D3BE4B8CDD68F7B3A08106A05A5B304F4F559F7CAFF1AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:06.505{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE822E5B2CCD3D0056A0252D2C94E61,SHA256=027A951DAB27E45D7054BFFE6A53DC75359A13F3D075CEEF907FE0E6EA594E4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:06.168{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:06.168{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6409E602C6BE89FEEE84EE3B692A5C,SHA256=710897A7FB6C95461C9829271826C5682C99E66D44FEE266ADFD87018E5E4703,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:07.833{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:07.833{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:07.833{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:07.814{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:07.607{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDF33EB8EAAE8B8D8C74EEC73847B94,SHA256=689A2B1236761718A4C07C784A23F52535FE1F1770A566E2AE457FEF610AC98A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:07.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:07.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9EB6CEB9EBAA9A26C62842ECDED4C1,SHA256=63E0060F1D467F3D10B3E7F8492487BB88BABA693AF712A8602F4FFB5C65F2AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:05.005{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59581-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:08.372{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:08.372{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9A3672BC9FA0BBB18A2CE9B08272C9,SHA256=58A20C0CC6F9EBF274DEC4E26D6C9BDCB6E0C9B058AB81D0015DA82156B12EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:08.685{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837792722984D0053EE3BDD5507B9B95,SHA256=F1706AF761473492F2CB15CE8C413FE5B57DFC72CFBB20FA0807BB85601EB88C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:09.565{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:09.565{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D190A3330C037D5B6616394DCBF655A2,SHA256=98CB82E776467C202C71939449DE4F1268323B4B8BBBAE5CB83A5E0042A8808F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:09.773{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFB3CB4289E6435AB70ADAAB26AF3CF,SHA256=A7224577C0C5E48AFAB1C212A14973F8FA8C73AF6A7B1AD78D9950BBC58D59BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:09.367{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:10.762{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:10.762{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12125CAD36058B3B050ED427B8A65383,SHA256=A1D3B6609032EFA8FC9AF681300A2895101675F1ED692B79761214AA5BD8B46D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.988{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.989{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:10.861{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D9E9A964926DFEA76DE767FFB429DC,SHA256=BB03B9CCC2C9CA979711442FE7E8374E863FA52CEFD579F15E6C9300570EBA0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:08.806{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50002-false10.0.1.12-8000- 11241100x8000000000000000103519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:11.841{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:11.841{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8811DD926CBB87944630E112AF771DC5,SHA256=ABDFD34EE1AAEB31712D78D0313AC41C68D589B1EEDF250EF0CE462CB1E1225A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AB-63BE-5201-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C4AB-63BE-5201-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.669{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AB-63BE-5201-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.670{3EE3745C-C4AB-63BE-5201-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000040082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:08.946{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50003-false10.0.1.12-8089- 10341000x800000000000000040081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.216{3EE3745C-C4AA-63BE-5101-00000000A802}40523736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.073{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D637DA14D82C1FDDFEAC2531D306EA8A,SHA256=745821A9471AA0DB17847F7D70B3E346E9BC68DF4807C9F5FC8377065613E430,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:11.049{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AA-63BE-5101-00000000A802}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 11241100x8000000000000000103522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:12.924{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:12.924{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163E9974918192B032E9DA3029503DD9,SHA256=023173DD6A4B7F37A360B0B856110DF5886C2EE255C94622C6E98108F70B5DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.453{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5D3FF1AB48D7A3B9EA3B69024C985717,SHA256=A2D79EE3A6BE6D41A28B33610E1D3CDE03D87DAE5BE46A78BEEF98F75DBD5DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.187{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED835FA64391C2719C984C022EEC78D7,SHA256=33286F6228897D6295DECAFD701F6E83733663C97279C505E81B9EF49122268C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.187{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C39C0AC5F7D39952132564DC76873088,SHA256=937158685448F87892CF0BB62A7EA273AAF8CC9FD5961332F1A7B3D05BB9881F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.179{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AC-63BE-5301-00000000A802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.176{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.175{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C4AC-63BE-5301-00000000A802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.175{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.175{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.175{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AC-63BE-5301-00000000A802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:12.175{3EE3745C-C4AC-63BE-5301-00000000A802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:10.961{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59582-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:13.485{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB90676C63B639B4B189278AA9A58360,SHA256=E1AA7286CDE96120F89F5112424599DF691A4F3F5CCADFECC35DBB041CC1CE72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.863{3EE3745C-C4AE-63BE-5501-00000000A802}32442604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AE-63BE-5501-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C4AE-63BE-5501-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.660{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AE-63BE-5501-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.662{3EE3745C-C4AE-63BE-5501-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.582{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831B98F2EDB359EDCC5088A84C55B80D,SHA256=39E6407917E24C739F265E009F8BFEC0CC348E63DAE61D500C539E873ADA7215,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:14.123{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:14.123{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D88ABFBCC6ACAF269DBE5C93AEC81F0,SHA256=E1640785DBBAF14036FF8570308A22A7CE4A3BB09359ACC90AD1D15E23B246B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.270{3EE3745C-C4AE-63BE-5401-00000000A802}40281560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.206{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.206{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.206{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.033{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.034{3EE3745C-C4AE-63BE-5401-00000000A802}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.859{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8106E13ACF4AA04E1829A9600C04725C,SHA256=E1CA7612CA5BDE22FD89151513A2EE59F1BC7A54FBF5012BE66D0284B680FC20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:15.329{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:15.329{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CB9AE81C3EF7BCF47BF6699F995609,SHA256=188C4ABB8B4EFC5FF5105630AA493BE3B82BA8CF4D6E1920AA32202C335B0DD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.499{3EE3745C-C4AF-63BE-5601-00000000A802}26762628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.371{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.284{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:15.285{3EE3745C-C4AF-63BE-5601-00000000A802}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:16.519{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:16.519{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98407DDB907CDADD5E38C1A0AFA83C3,SHA256=3983CB2CC505A3E176AED47DE491A481EAE10679E20459CD92300B00F5AB527C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.555{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.555{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.555{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 354300x800000000000000040179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:14.707{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50004-false10.0.1.12-8000- 10341000x800000000000000040178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.468{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.469{3EE3745C-C4B0-63BE-5701-00000000A802}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:16.018{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000103527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:16.018{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:17.615{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:17.615{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638881A715022C3C35B47A7E3DF89940,SHA256=AE314D665F9739EBB11E70FED95AA9E2AC815B92C4ECAB5CC654E05594FEB744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:17.592{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5C9C95146C3FB998B129F279FB60D62,SHA256=5EF2C16DAE0DA0CD785274E87A32B21266FEF3B67E470D6AF03D9CDFE8C83F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:16.994{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E296F6F7C9B252DB45A5D5C45ABF8F42,SHA256=2E4B28B2E9CC217BEB5B8A82C708CB05B05C2FBBE7B12F872A82F55B93CA7375,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:15.811{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59583-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000103536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:18.714{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:18.714{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3B4E4B4D3DCC03E1BDF472D931F7BA,SHA256=022321150B0841DCDEEC503D56C10793E830D73BEC2E1EEDB223D6C6478F2749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:18.196{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628924527F49FBAE975C5FD5A535A215,SHA256=7392B5BD3442D4E90EDA2EDDBFA4E94EFCB80D3B17E4E6CB9C698F3215A3EA09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:16.985{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59584-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:19.910{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:19.910{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F4474BB44CDD7405648246DE15B3D6,SHA256=A7B45D9EE71E248AA9A4005C0B958B509A47FBD6C0CDB4F34E2EEE203D240157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:19.297{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295885FF964E71E90DF2A614E7E3AF77,SHA256=562C6041F20190DEB60540EF60FBFDE7520AC5E717D6237CC2784C3FFD087B80,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:20.998{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:20.998{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F967ED1B85C11274C20082CC202072,SHA256=7D87BA3B073034132919CDC1F9F1E902FFE349E28DBC2D81DED8069DAAC47F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:20.386{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D251BBC9152A7E3DA7A334493A8630A2,SHA256=8E83C0225C11A350F42FF1364E4FAEFE8B7721EB23691F33A7CF0021FDD466EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:19.856{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50005-false10.0.1.12-8000- 23542300x800000000000000040188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:21.473{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD835B1382216DB92340A0EE703E4C1D,SHA256=FD79B86C2383CB93A03C9D0E463B32C9FC2242A6CCBBC2267AAC8DAE86FE75D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.896{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.894{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.889{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.881{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.879{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.875{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.362{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.340{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.330{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.319{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.317{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.309{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.246{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.233{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.215{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.198{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.181{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.168{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.126{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.112{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.091{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.013{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:21.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000103568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:22.346{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:22.346{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C744050BB721E01A8954AFBAC3986250,SHA256=7FEE06B49E20986D79AA4C29498BF528D04A182D6434FB9F15F139913292B270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:22.573{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12ED7875AD30725C9DCAA23013E61000,SHA256=4234DEC3DC9BBEEF2BBD35520F2846DC538F51121CCA37A8F9E242F100D8B24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:23.675{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB9F323EF3B1BD5544D9909EA8817C3,SHA256=487EEE76D82A06A3F7FBBC85E489CD735BCE93B7AD7183275A223EEE55FE2957,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:23.933{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:23.931{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:23.930{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000103570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:23.446{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:23.446{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669367C3DD52EB3747CD25B37C53A0D3,SHA256=455A66A51E53AC4DDE31EF6F5E8CA6F5A11CCBA3C808954CCA80359B7B2D4CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.976{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A03B81357995FF5BA77565B71329F0,SHA256=B4603E424F3AB592AFC2BF083AF9359174ACA90494030EC94128444250598B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:22.849{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59585-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000103591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.553{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.551{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.549{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.548{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000103587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.544{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.544{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049727D1C7E511426A8A1144F6468FF2,SHA256=3271DE8BA69BFF0DDC773CC00CE53E8416210320D6680F80C57FDD59B277272D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.536{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.526{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.496{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.485{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.462{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.456{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.454{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.450{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.446{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.620{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.618{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.615{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.613{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.612{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.608{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.607{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.606{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.603{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.598{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.589{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.585{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.582{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.575{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.563{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.558{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.537{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.527{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.495{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.487{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.477{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.467{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.458{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.450{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.440{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.432{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.423{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.416{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:24.412{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x8000000000000000103576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.444{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.442{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000103574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:24.439{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000103594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:25.519{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:25.519{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126E83A185B50ED859FB128E9854615E,SHA256=777524CBBA7CE37915804968C465095D59E5B3C1A2FD85FA3EB4BABDDF59532D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:26.836{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:26.836{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6666480A76E78CA3DA2B924370048721,SHA256=58389E79330B2CBD39B1FAD36CEB63B2AEDFC7C1597356204E7D5BF18477D722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:26.075{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171398AACDCB6A644DB0EE010213AD0C,SHA256=9D8F0A8B32CA07AB0B58C7A3920293C13378A10DD1CE4E30C8B7FAE22CDAF221,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:27.953{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:27.953{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66B8B407373975CACFBE948C65D5EEC,SHA256=A2917F2FAB6C4CA7E4CE157619EB062A6F206E50A9EB4D5A745FD7C00072F1F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:25.764{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50006-false10.0.1.12-8000- 23542300x800000000000000040223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:27.167{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9505E1F7D313399C5926A6B76E6A6BE9,SHA256=A04E9FDABC26BA7BA7C459AA680B4C1068DADEEC37360E04E25F5DCE1E90BC20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:27.656{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:16:27.656 23542300x800000000000000040225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:28.253{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02252041A038F13DFF32D2E069839999,SHA256=E9877520B8684264D3314661E321A48B0A6F88A149C5F646B587965D517A8249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:29.349{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDF75779C0704CF188CEE72A0B07C93,SHA256=DCFD989AC01699497DF9893D7D7FFDEDF044DB66254B5905DD72F415160711BA,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000103654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:29.952{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000103653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:29.952{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x8000000000000000103652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.327{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.327{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.327{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.186{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000103615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000103608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.171{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.172{7DAC9CB3-C4BD-63BE-B301-00000000A702}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.045{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.045{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A628F47D155E185A22FCAC7524B7F8C8,SHA256=965230BDDB5C4A90C667F965875ADE46C3ABEA6C4D9C5D7C18CED7DC1E7DFD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:30.449{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2290D71BEEE6CAA1793E3CC97208B9,SHA256=A17BD9F9978B0E8F6847013EA6E7252F1A716ACE231595C39CE711F9822E24AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.922{7DAC9CB3-C4BE-63BE-B401-00000000A702}53881968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.922{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.922{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.730{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.729{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 10341000x8000000000000000103708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.729{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.729{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.729{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000103705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.728{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.727{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.717{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.717{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.716{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.716{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.715{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.704{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.702{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.694{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.694{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.694{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.694{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.691{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.690{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.690{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.688{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000103671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x8000000000000000103668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000103664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000103662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.675{7DAC9CB3-C4BE-63BE-B401-00000000A702}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DF8DD8B9CAC10A50501E1061A97861,SHA256=03E3BD158E537D6F619B00F176525D62CFCA8BC5D4A0F24B354B3F66CE3FE075,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000103656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:30.671{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C997C99489EC2D9EA8C0AE90BEE5B286,SHA256=8088CFBAE19BA49107A431C85B89A2AC3E6A621991055C150F5FE2B58CE7C0FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:27.998{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59586-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000103775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.883{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000103774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.883{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=681A37B96316150E31DC4DB54B8C73B4,SHA256=2838FCD8779690429A77A5BED3ED0246DF7A24D27F5ACD595783549DFCAB3FE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.836{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.836{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B227BA749D46702B17E10B348A367CD,SHA256=D25960C091A2C81A6D39FA192EE1989A609D9139E39FCF0A941D93A6B347CC45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.754{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.754{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78F85B9A59CAF9AF713E4113AC2A3A4,SHA256=9F396655083B4291269D238B1EDCAB69DBB9C8AC66DC91F820F80735C018A1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:31.533{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EB23EBA1275B6FA1FC106EB40B32E3,SHA256=EC8F32512DB66BB98D145E1C3EFE474144F96490BD88F215EE57E0340CB1ED66,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.535{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000103768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.535{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.535{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.376{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.376{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.376{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.376{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000103757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.361{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000103736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000103734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000103732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000103731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000103726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 23542300x8000000000000000103724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A3A7E53AD398C04AB181FCCC6E8324A1,SHA256=B6D4E64283413B94D8DA82D5AE8CE9D87412DB7B246117BB191165BD0E26E327,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000103720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.345{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:31.346{7DAC9CB3-C4BF-63BE-B501-00000000A702}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:32.821{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:32.821{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED82D31EA24132EF0D56CDB7E56C79E3,SHA256=06DAB8B14C8CDABDE8550D0044D8ECAA2F1F501FE9E31D5C0B9A4DABF5F0A856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:32.728{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A5208717E0754EE2978FC80F81DC16,SHA256=D3CE878F7E6688387A94740A78919342FFE22E518863A1520FB8ABE192946009,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.761{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59587-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000103776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:29.761{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59587-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x800000000000000040231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:31.683{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50007-false10.0.1.12-8000- 23542300x800000000000000040230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:33.819{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319E21C2F3056577921A286F7B0F285B,SHA256=C4C2F0DEE0980C75F7A61ED85359857C2B494AA8267C979ED5EC435F225F70BE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000103830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.416{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.416{7DAC9CB3-C4C1-63BE-B601-00000000A702}62444496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.416{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.400{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.228{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.228{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.228{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.228{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.228{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.228{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.228{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.228{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000103786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.213{7DAC9CB3-C4C1-63BE-B601-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.965{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.965{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.964{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.962{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.962{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000103932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.962{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000103931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.851{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.851{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.851{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.851{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.851{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.851{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.851{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.851{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 10341000x8000000000000000103896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000103891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.836{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000103884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.348{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.348{7DAC9CB3-C4C2-63BE-B701-00000000A702}49285972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.348{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.348{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.191{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.191{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.191{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.191{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.176{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000103861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000103847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000103844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000103839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.163{7DAC9CB3-C4C2-63BE-B701-00000000A702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:34.160{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A819A7E7098485417506A07CFC47F351,SHA256=72746CC74F97B82359E5A69A301E7A3BB03247973C86A2C1DBB9F30302D0B342,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:35.925{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000103947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:35.924{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7781E11EF3F998392F529FF3C5BEFCCA,SHA256=1886865CDA1B6DAB7016976602E46A3085BB4DC25CE61C509C20B2EABCEAA0B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:35.409{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:35.409{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44498B76E907EF533E7C746CE8AC0AD5,SHA256=8EBD368DB61C5AB25138053DD17EB9315573108055CCA715C28C9059B4E77F60,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000103944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:35.393{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:35.393{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E5111E06F9186AD7F75BC2FF107C01,SHA256=8A6DAD33BA1520435CAF5D817D60B483B164DE58E15F8ADD42581484E7353181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:35.018{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B63CAF8F431B22671C990AD5617ADB,SHA256=26D272718C876F8F024A8912642B64CDE376FB6C7DE380645E09C3DB4E4FF084,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:33.021{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59588-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000103941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:35.049{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000103940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:35.049{7DAC9CB3-C4C2-63BE-B801-00000000A702}68566620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:35.049{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:35.049{7DAC9CB3-C4C2-63BE-B801-00000000A702}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000104001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.763{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000104000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.748{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000103999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.748{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000103998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.545{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000103997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.529{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000103996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.529{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000103995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.529{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000103994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.529{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000103993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.529{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000103992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.529{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000103991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.528{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000103990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.527{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000103989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.527{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000103988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.526{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000103987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000103986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000103985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000103984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000103983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000103982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000103981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000103980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000103979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000103978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000103977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000103976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000103975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000103974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000103973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000103972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000103971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000103970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000103969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000103968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000103967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000103966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000103965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000103964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000103962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000103961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000103960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000103959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000103958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000103957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000103952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.511{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000103951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.512{7DAC9CB3-C4C4-63BE-B901-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000103950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.480{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000103949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:36.480{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC90BD880ADD2257405E2378CB2FC520,SHA256=1862CFE530C4860AF6ED637340071CBCA13BAE0AC68E19583E54A5B228500F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:36.114{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F633510AA788AF42CF1CE3B84859FA07,SHA256=A3C4E813273F8AA3BE9709D5ABED9828F41A8AAE51B348AA77223696A0C447AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:37.767{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:37.767{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA790E0647902508048E4C5C48B42B6,SHA256=1942725121809F8437138433B49AF46D07B65E454C194C73BD5A549219587C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:37.195{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACD20DEC33154E90CFF2EA2D256BEBA,SHA256=CA4C36DF0C122986F134C0870E89EE8FE7748B4A40AEE994CAA71BACD63AA5E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:38.902{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:38.902{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA93AB3CE485468E0410677D8B34AA88,SHA256=2D865DE02A7C20F8219262FB9A2BFF4030B87E438B737596666FC966FC2E40F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:38.633{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-025MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:38.290{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D0341CC1889A8E171D821821E55F2D,SHA256=A1E2AB40E370DB507F7F382FB0A0A8082CFCB94079A24489CA23B5687D812237,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:39.987{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:39.987{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FE8EB9EFACC322978F0ED7D41700E0,SHA256=A72631881C42C3C203AE8EC8DD6413EE0EF4C3AEEC301489D24E4F2923E0F081,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:37.680{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50008-false10.0.1.12-8000- 23542300x800000000000000040238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:39.641{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:39.383{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2E29751C37536AC3FA50CC38BFCE39,SHA256=BAE6AA1C548575889167EF0921F1F92B4E2ED202495339772C2EEDB4F0B99986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:40.574{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889D59BFFA5CD0693E82479388F35A8,SHA256=BCA2721D6ECE9EE3465F2E1A659679B39965967E88A4A1AD9D667DD23CFA334A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:41.671{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1B91C6E9043A38808EE09304C1D113,SHA256=F805EE5B1965DF5FB15F33BB4A8C9949BA9C098F493D1E608EDF763805823F4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.440{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.408{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.393{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.388{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.385{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.382{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.336{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.324{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.316{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 354300x8000000000000000104020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:38.915{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59589-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000104019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.287{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.273{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.264{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.244{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.221{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.195{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.187{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 11241100x8000000000000000104011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.084{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 10341000x8000000000000000104010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.083{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000104009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.083{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AEE0E7F96740D2BEEDA18162BB21EA,SHA256=9B052569507CC16E0ABF8EFEE771313C59595DBDCE4B8F9C771DE81B606782AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:41.074{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000040243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:42.881{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B6F066102B1D4319918E297EFDB111,SHA256=63D32D86FB0C198B223B91BDE45C9BA6545A83DB68B1981E9E3524014DE92B10,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:42.207{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:42.207{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14014EDBA0E76472720542A361EB3B92,SHA256=5F59933963B6FAF55CA5356BD4D86D82C7EAD1D08CF0827E5BA8BD3CF8FEBE23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:42.169{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:42.168{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:42.163{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:42.161{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:42.155{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:42.152{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:42.149{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000040242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:42.646{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B55109D24AF8462E79D762568511A49C,SHA256=1D05BBEE6335E2EE6C206970CBDC21972F5082CF033882FBE3698963F6B79A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:43.982{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C325F2364DF6C8B4FC631419F7518527,SHA256=58334AEB224011CD4132BAAE9B2703FD0D5F1569074EE5D6367F7646558FFBD6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:43.283{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:43.283{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7FBC9AC657962AF8AF4803603CE9B4,SHA256=5D64C7A1D27459FE6C90C87BC2B250D16F860D6F200F7039EAFBA2C6F6DBD588,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000104067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.997{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000104066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:44.996{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000104065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:44.996{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000104064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.996{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000104063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000104062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.994{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.825{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.825{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.822{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.820{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.807{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.790{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.755{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.742{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.729{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.722{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.720{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.717{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.714{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.711{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.709{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.707{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 11241100x8000000000000000104045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.362{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.362{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D213231339BA959F50FF98C005D922,SHA256=294E5B6FF94DCC5A1B762615793E2B1353FEE1D80211F3AF977950389322430B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.643{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.639{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.637{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.635{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.634{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.631{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.630{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.629{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.626{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.622{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.614{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.610{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.607{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.601{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.586{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.580{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.546{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.535{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.504{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.496{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.488{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.478{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.469{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.462{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.449{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.441{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.431{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.419{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:44.416{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x8000000000000000104043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.201{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.200{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.199{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 11241100x8000000000000000104094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:45.503{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:45.503{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCA1DBC8969FCA29E1E23FCC2E5DC43,SHA256=37E4924A610982D117C0CE54D9808E7F13B9877FCB57B5B2804E6E9EFD46CBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:45.211{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657EB32038DCBC6790D65C47F6AA0ED0,SHA256=761ADF54E1C722DC9BE8E69529CB6E57710E753758CAB963C9DDABA89D80FF5D,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000104092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000104085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:45.007{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:45.007{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:45.007{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000104082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.007{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.006{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.006{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.005{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.005{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.005{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.005{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:16:45.005{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000104070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:45.001{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000104069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:45.000{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000104068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:44.999{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 11241100x8000000000000000104098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:46.526{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:46.526{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC579AE8C6B8A151BC37666AFAD75B16,SHA256=6C4EF8CF84B8C81F1D984B9DA4DF32BFE093B5F8456EA6CCF31CAA2595DABAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:46.277{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531CF7F027A55813C905FF42B1253784,SHA256=1FD496E3B16364CFFAA8BDB5242F73AEA293AF13618837554A086A3763C57C7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:43.940{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59590-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000104095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:46.004{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:43.624{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50009-false10.0.1.12-8000- 11241100x8000000000000000104100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:47.625{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:47.625{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F6E972BAE336DED6AACE6ACD4EB3DB,SHA256=B9E23E044255F18F057731110DC484362997C1CFEB0F8D10F3E68A4EA7DFB8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:47.392{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC2C8852D698D55E25646A98714902F,SHA256=FAA9FE9520A55C9DE8F02E2A46C599734AC8F1D1E8202EDBC03FD11D3FAC2ED4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:48.720{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:48.720{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3948D59F4BB28CC9178E4783452BDBD9,SHA256=E22E6EC80188361AF461D1B88E4534873BB58A83240A3399E4FA573AABF804F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:48.480{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88ACF3DA5D3CC78D77B0B1F9AB056B15,SHA256=91589CD9FC5487CF8AF7CDE28ABFFB047D9C4E0048FAEA89EB337039694C8502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:49.572{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702FEA4A1A4EF4621D250AF746298FBF,SHA256=4FF3D2F67D91BD63A00C9878B51A76BFEEDE2D98DAA36D9571FA3FCDC993F53E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:49.835{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:49.835{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24E43A671C79EC17F2CC3B8B31B35FC,SHA256=AC8752CF0CF03A95D716540FAF67DB3BAB715FA2C529313B3C7694546DF584A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:50.936{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:50.936{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D0A8B54B5AD4E4BF198707721B3C30,SHA256=6E45FB8875B6E7961FD4512ACA7D57285AB2201A34852934F3857435C1978DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:50.786{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A26505119B456D0094A5125144C54D,SHA256=0CC88AF16AB3CD6D407A45FDCF26872D5B8E50E3FCCB721A7F3675645936DB9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:51.879{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F60BBF4964BE29BA2516DF12A66CC6,SHA256=D781E9907F54A3E80688A93C1B503057D6FBC962E160453300ECEB1DB3F14D18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:49.014{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59591-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000040281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:48.822{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50010-false10.0.1.12-8000- 11241100x8000000000000000104109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:52.032{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:52.032{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC3989416E47B851236F506002DE6F1,SHA256=2242F108499D568CFAA8F92BA2C372DD574E9C999F9C21226791E19E73D72E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:53.075{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980AF4D976A81890B65B37AA2AAE2F38,SHA256=6A6A9176B9AD14A2A23F86D32B2CC0D5B96CADFBDB3EC7D9F16DFAE97BF383C1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:53.121{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:53.121{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3FD8CD748B8F7F1766E52FC2A48EAA,SHA256=CAF246C79109E83AF71162A3C517813D5DBB9245F64A8F1522E5666DAA6B70B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:54.267{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B407B445242798A54D26B0B1A3326DC1,SHA256=E5D8AF565BD9D705EFCF8DAA68B2947F4E914E5CD3B551D1CF90E96F5A1E77B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:54.212{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:54.212{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75CF74227B3A96CE6510F7575DF2127,SHA256=807007FD43C10EEB927694AFC1DF7C1C90475329E8040F3EADFAF39D19CD23CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:55.476{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2064FD7A8A58B3E6869BB0A7434A8010,SHA256=EA510B52AB721753704FB9CC85F9F09C9ED7AE5E990AA255815971A91703B848,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:55.298{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:55.298{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485A0571295889B38303AD5FE3086070,SHA256=FC6DAC0BD227C760C93A1BB79DB47DDE705A0EB0E8CB8D96000F7E6110817324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:56.565{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C70AE4DADA909DE66B899EF81AB73C6,SHA256=E6C72830FF0BEDE517006514230AB3C2D0B65AEEA73DDD1CF8730685B68A8F5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:54.966{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59592-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000104120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:56.370{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:56.370{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA76DDD049617B3BA3B50CF204B2D6A,SHA256=146091E1F377D4901894AFFA9930270F655E270D526A5E5BD8BA0586F3D484FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:56.086{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-025MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:56.084{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0252023-01-11 14:16:56.084 11241100x8000000000000000104116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:56.083{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0262023-01-11 14:16:56.083 23542300x800000000000000040289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:57.988{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B8479D302222BF6DF35D61B47A2BAA2B,SHA256=E6A4193C82A75BFB356D5C5A0D7CCB246F2A9968531B2BE5A946C86DF2077162,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:54.634{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50011-false10.0.1.12-8000- 23542300x800000000000000040287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:57.654{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BD3BA50624366F3FD0E3410721A4E7,SHA256=0AE05055463D573A1FDB8365318D838287C75CD289D07DA2974E50655B93A9A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:57.655{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:16:57.655 11241100x8000000000000000104124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:57.465{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:57.465{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360A859CB5D809507D52842B23945AA5,SHA256=1B7FA06F535C75E6AD18135E07D1E4782051E3F21A27234B5445F0B1D6A0C3B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:57.092{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:58.857{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C624701E45F433AA24180D62F814AD3E,SHA256=DF3CAEA60F298992B9A8171A8EAFEF5D4DAEF1AEBA6F70DA474186A89C2BEE1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:58.543{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:58.543{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E6E37C0ED250E08FC41CD6A6941512,SHA256=4204CC00E4093460348AF5856CA57E181C2957DA56F153B86CD8A7E3DA14C51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:16:59.938{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A676F6E6B8716D11F188512DFFB45E5,SHA256=9AC1FB99DAA6470A1341DCF90C80F0C696EB2553EC12A511D65A2E2880776051,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:59.636{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:59.636{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DDE4D75137B8655F51D61384666EC2,SHA256=BB6D7723C3408E5A7384524BF3C78BBCC7E3714F0BE2216EECFB01EEBAFB9C95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:00.735{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:00.735{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11DCF0DC7E330A6512E12513B4F2AFCE,SHA256=7774C1EAAF666A1D2FB896EBDA329AC20F398ACA61C84605F09580023FBF7A17,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.782{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.782{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EF828C095381BF1C7F768F171EEA78,SHA256=5F3472B9B80830B5D4ED787C4801833590A4F957AB8F47637AC294B0EA472A44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:01.138{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:01.138{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:01.138{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:01.029{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AE0E2EA953E87C831443760217047F,SHA256=2B5D1ABCF572BBE82EEAB46C76C4305FBEAD8A52C2DD0719EB4B42204E303B03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:16:59.980{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59593-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000104151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.475{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=78D6E9A6A7908640A049AE762CD9BE9D,SHA256=9F2014E54B0B401BAFF6CF98F9C826CD0AC1EB128B629ED21F7DDCCE08DDC9CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.363{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.349{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.340{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.337{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.334{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.330{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.270{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.251{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.238{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.209{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.188{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.180{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.168{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.134{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.117{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.092{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:01.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 11241100x8000000000000000104165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.842{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.842{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CAB6F71CF9FF532372DC08F3D33C4E,SHA256=9ED4D54345BF69674230433E02D184DEA6B0C0AA67E443842A57C03DC9AADA9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:00.624{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50012-false10.0.1.12-8000- 23542300x800000000000000040296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:02.121{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62FAD52D2DA3D9BAFE98F0864A403EC,SHA256=E6E752C99130ED7DB8C65CE2888DB0A0BF55EBDF2D9B24DD99A9C6BB7249EA10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.144{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.143{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.138{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.137{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.131{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.127{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.119{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 11241100x8000000000000000104156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.118{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-11 13:51:01.788 23542300x8000000000000000104155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:02.117{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F56A4B38EE288F2D5D8BC83B718F728A,SHA256=FE7D50ACE1EDC7964C72131A6105ED381817AFA098CA893DB2CA01A5FBDF8666,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:03.919{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:03.919{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2EB1FDB98728F378F190F3CC321026,SHA256=60608F40E808C3A3A2F10AA32F438C0EA14309ED50103983667D8B0B0FF339FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:03.311{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B92A24682B0185167B5E7FDF62EB8F1,SHA256=CC1A3590BF25D07A1117C33DCD96258553D35340B67C7A34BBDF2935C474F293,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000104167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:17:03.495{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000104166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:17:03.495{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 11241100x8000000000000000104190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.992{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.992{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A0E6A3926CBDE1D59B767EC5526892,SHA256=8FE558811FB818897F150645E4709B87AB48A9CA1ECF7AC223CD38F644FBD44F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.938{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.937{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.936{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.931{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.776{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.768{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.758{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.754{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.752{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.744{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.743{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.740{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.735{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.725{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.717{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.710{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.703{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.694{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.684{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.681{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.658{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.642{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.602{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.591{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.580{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.570{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.558{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.543{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.528{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.514{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.488{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.454{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.441{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 23542300x800000000000000040299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:04.420{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BC6DED1970061B2B8E346638CA94B5,SHA256=818B26173B33A3153FC4181D04CE670ED601EB56C935A9A8D07B24A0CAC22C1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.903{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.861{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.773{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.753{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.733{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.721{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.715{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.710{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.703{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.697{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.693{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.689{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.172{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.171{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000104170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:04.170{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000040329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:05.812{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DB6B6C5D9206233CB8924D18DC7638,SHA256=029A4B0476E33EB0F5AE5586B0862205B3AC82748C3EE1E7D198DE8E98597143,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:05.975{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:05.975{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560A1805EABE01B43BC97BC6C6A63BCE,SHA256=8BB31C6AD771BA1AD33E5C6B683AEDD59EDA780C49F63FBE0AF9329534AB434D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:07.814{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:07.021{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2D7A0EC1AC41EE8BC83C9A9778EB22,SHA256=8CDA620D2CBB868808DEA71AFBFEA1309212199C6C6DC686B8F01366B9D5B443,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:05.910{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59594-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000104227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.078{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.078{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86747671764278E01AB92C53D66FB0D5,SHA256=5D0EF972CFACED0429EE7E58BA147EF54AFC1E8BD86191EC8C3E2B85AEE3321E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.031{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:07.030{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000104230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:08.475{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:08.475{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EB8A48478CA738CA4903715B0C3683,SHA256=76B777B0B99562865B46B5F8304379BCDFD0ECA0A86F1584F3FC636B0303BCFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:08.108{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A131404FB40968213F98886130DAA0AE,SHA256=3896F4F2DD420546BEAF793D747AE34E4AFD192F441DFABB46D85E94C9B05388,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:05.672{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50013-false10.0.1.12-8000- 11241100x8000000000000000104232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:09.616{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:09.616{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3105EE6D8B9D139A1E05CAC01DFB4EA,SHA256=7A778243F952D532B25BB1B88D80652313D60562957063BFCE9644AE7E836018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:09.392{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:09.188{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6AE5221E46B5DE7CEEAA7438D31127,SHA256=3CFF164D2C29FE66F67CF0662BC0614DB945D1AAA229D4E8ADB0050F2B72156A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:10.697{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:10.697{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A251E627832E58D4E835EE90C57ECA,SHA256=409D32949134708078468B7A51AE7CBECB873F0B412BE8AD105ED2B29D07DB37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C4E6-63BE-5801-00000000A802}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4E6-63BE-5801-00000000A802}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.992{3EE3745C-C4E6-63BE-5801-00000000A802}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.286{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534E4C43D5B53BE59F95901CC1D73F64,SHA256=379E69DF3B698369D64F589C0EB19403722A1ABA1E9433823AF456311EEC8FB0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:11.777{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:11.777{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6AAB84AB4B2BCC101E7B84FFF00180,SHA256=8A0D820447B67F4F9C10FB9CF83BFB34447374BD91DA83E1256E765955FA1EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.782{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=91DA1860EF163E801DD1FB81C590250F,SHA256=04B713B776A80569A9D9C8FC91C66579D663DC0E7E957357D09D864B7C5EF651,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.767{3EE3745C-C4E7-63BE-5901-00000000A802}37803488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4E7-63BE-5901-00000000A802}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C4E7-63BE-5901-00000000A802}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.501{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4E7-63BE-5901-00000000A802}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.502{3EE3745C-C4E7-63BE-5901-00000000A802}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.485{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE564470D351A53E8529337AEB0441A,SHA256=FC66ACB65002EA1052C9D8C073C1B9199F41DFB612DA25FCFF230F2135032563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.159{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A420FA476D05B374115D5476F5CC88FB,SHA256=91B35DEE6FFB26E827E61C1CAB40B03CF26012CBA65F00CA814D84FA5E6F821D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.136{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4E6-63BE-5801-00000000A802}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.134{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4E6-63BE-5801-00000000A802}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.134{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4E6-63BE-5801-00000000A802}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 354300x800000000000000040350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:08.971{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50014-false10.0.1.12-8089- 10341000x800000000000000040349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:10.991{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4E6-63BE-5801-00000000A802}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000104239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:12.857{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:12.857{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2F5E7F5BA5CF2C175B5C5B68B5A18B,SHA256=920868B8146B7D87D0D6225D8D8899A43932417C68AA1B653E30CFBDB22ADADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.699{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E0E062A76F718DC5DA4C8C8E80D8C9,SHA256=B21562D7960C2916E35B974B615A9C920DD58ABB7F18763E96A6917895F3A717,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:10.990{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59595-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000040384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.173{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4E8-63BE-5A01-00000000A802}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.170{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.170{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.170{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.170{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.170{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.170{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.170{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.169{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.169{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.169{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C4E8-63BE-5A01-00000000A802}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.169{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4E8-63BE-5A01-00000000A802}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.169{3EE3745C-C4E8-63BE-5A01-00000000A802}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:12.137{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44C087A27D5561A10B6C6C01437DDA36,SHA256=221BD9ED33B52EE125AB5244881FBF5DDD2B0BDAF55B5E498302F624D51B8D88,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:13.948{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:13.948{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB17FA47720FC47D6D12859E8284D20,SHA256=120CB1528843A993B53A3183D3F42E52368F790A739B3EDADB7F14DD020D60AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4E9-63BE-5B01-00000000A802}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C4E9-63BE-5B01-00000000A802}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.931{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4E9-63BE-5B01-00000000A802}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.932{3EE3745C-C4E9-63BE-5B01-00000000A802}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000040387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:11.691{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50015-false10.0.1.12-8000- 23542300x800000000000000040386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:13.790{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318AF1E67AD88FF5A213A23F96318077,SHA256=03B154302535DCF3A99B97181AAE68796F954CA374EA453EC44BA5F9EC01D8C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4EA-63BE-5D01-00000000A802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C4EA-63BE-5D01-00000000A802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.930{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4EA-63BE-5D01-00000000A802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.931{3EE3745C-C4EA-63BE-5D01-00000000A802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.633{3EE3745C-C4EA-63BE-5C01-00000000A802}3536172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4EA-63BE-5C01-00000000A802}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C4EA-63BE-5C01-00000000A802}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.430{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4EA-63BE-5C01-00000000A802}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.431{3EE3745C-C4EA-63BE-5C01-00000000A802}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.163{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4E9-63BE-5B01-00000000A802}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.163{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4E9-63BE-5B01-00000000A802}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.163{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4E9-63BE-5B01-00000000A802}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.162{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4E9-63BE-5B01-00000000A802}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.162{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4E9-63BE-5B01-00000000A802}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.162{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C4E9-63BE-5B01-00000000A802}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:14.161{3EE3745C-C4E9-63BE-5B01-00000000A802}3443660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:15.152{3EE3745C-C4EA-63BE-5D01-00000000A802}33161968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:15.058{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C929CBD6AC1728C596A0482078B160D,SHA256=4F2380838BB8106DEC81C52ED767F9DC8C21406A45D4771030F71C8FB9D4B4F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:15.042{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:15.042{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF145D68A0559CE36F368D66106489E9,SHA256=FCC2932F1FF3E44536A8644154289C5EDE5942D11E7A10DB4FC70781C470298A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C4EC-63BE-5E01-00000000A802}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C4EC-63BE-5E01-00000000A802}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.483{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C4EC-63BE-5E01-00000000A802}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.484{3EE3745C-C4EC-63BE-5E01-00000000A802}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.204{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B81365BE41524FA44591AFDA407FD69,SHA256=82644477158C1938D7803C05A058BD4E2B58CC67AD3E12AFFE9852B16A30F956,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:16.136{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:16.136{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE87A3E413D9D949F0F8F1E2F783124,SHA256=5DBB3036675BE4141438392C22B98936B2FEE4506E994BF61FBB707F8B042344,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:16.050{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000104244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:16.050{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:15.842{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59596-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000104249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:17.231{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:17.231{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B20BD2CC31AA88D2E91379C9B1581C,SHA256=AD8DBE9123C451A3EF46335452221CB06224DF8B04AD554A7B236045E23AAE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:17.496{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49F22DF7E50C167F2199E610DC87C88F,SHA256=8D5FC8C813E98F31DB5586035842C788A5A6F786B082ACAC9B9FD30A9EB552DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:17.296{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3900D4756C85D4166B66DC3D8ABA6599,SHA256=A1CD5075B6FA2F1C928C1764B2118CCB97C96262C573166E852CD294985A80A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:18.380{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250DAB43C74820A8FBEFFCF7C88ACD5C,SHA256=344146D546EEB3E3B2E36B7055E518F3A2783CFB86208649B5305D291337774C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:16.961{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59597-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000104255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:18.637{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:18.637{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:18.637{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000104252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:18.325{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:18.325{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49F8C8935230F8D9E6F72C8C607B139,SHA256=4C7DBBA8090F82FD6F3544FF199CD490FB43BC4550E2C7BFEFBFC81C2929716E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:19.575{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A374BE32BFAC048C39CEC8C64D87D5,SHA256=75638BD6514F6E10AF3BB172BB2614E99CB3568C6021EEB97AB2ADCEB69AF900,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:19.531{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:19.531{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9881795BD632287FC4B7D1DD034C20,SHA256=6DD9199F0AF0519D808DD5780121DF47A610D23318728D6B64964E8A0200DBEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:16.813{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50016-false10.0.1.12-8000- 10341000x8000000000000000104262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:20.994{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:20.991{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 11241100x8000000000000000104260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:20.618{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:20.618{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C6B9C58EDA06929F77F7C089CF0B0C,SHA256=3A4A3294229CEEE200E1BE0884595BD6C27FFEF8876E0F7A549009BBC75406AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:20.661{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480A95DC97C8B7EC9E796DA19B6477C8,SHA256=59EC4E85FB7B314BC1B734C1AF99C4B354F3C28CF37AA48511C3960115D123F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.903{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.901{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.884{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.879{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.867{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.861{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.854{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 11241100x8000000000000000104281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.668{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.667{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3E823F0FDED5DBA675A478EEB53E8B,SHA256=467059A667C9368E213AB404D16C9FCA2F43F43E0A2BBE5388EBBB5550B09E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:21.763{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB626D74C4B517FFB836B9EC6F1D78D2,SHA256=BB484A8E6BBEE6063BE90342839052DA43FC640CED2764E7A53C853AC2C32DA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.246{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.234{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.221{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.219{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.214{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.210{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.167{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.142{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.128{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.117{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.104{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.066{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.049{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:21.041{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 23542300x800000000000000040458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:22.854{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524C57B296DAB221D40BA70FFFE3FA0B,SHA256=414B39BA6CCCCD35963227D28E6C6939DF5041C80DC95BE308085CB400D6E56A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:22.743{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:22.743{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B204FAE02AB2AEB7A43791E748A7C4FB,SHA256=33151D46F8024DC6585C834A7E0BE184C170D61C65094D771D6E1C967DD33675,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:23.943{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:23.942{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:23.940{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 11241100x8000000000000000104292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:23.846{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:23.846{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB8F064DF6FFBE79DCAE142EA7D8505,SHA256=F691075E3731ED7259001BEC4E5BF57872921F5A5E076BC52B0C7CB5AEB22D20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.910{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.910{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908130AECBBE83285DF8D48B2FDB334C,SHA256=BB25209715815D2628A33E96C410552CD09B34526AA06160116F235E553F3C5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.632{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.628{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.624{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.620{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.618{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.613{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.611{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.609{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.605{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.601{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.595{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.583{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.580{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.573{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.566{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.560{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.542{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.533{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.502{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.492{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.483{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.474{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.465{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.458{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.448{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.441{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.432{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.423{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.411{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 23542300x800000000000000040459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:24.059{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7161C4CBC439D9DCBEFDDF6B8D504139,SHA256=151DB3D0810A242692044A0973F7818F881F26176CECE7153FCDDAE14B8BAC26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.609{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.609{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.607{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.605{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.588{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.574{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.509{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.501{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.485{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.478{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.476{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.473{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.470{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.464{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.463{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000104296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:24.460{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 23542300x800000000000000040490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:25.529{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440BCF1047961162498F534D971CA657,SHA256=0085ACDB6C3EA6F3E8B7F61DE55C13A504C36B0A7A9D84583CD6D0955C8BA8D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:22.777{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50017-false10.0.1.12-8000- 354300x8000000000000000104314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:22.912{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59598-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:26.561{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B518D89AE25083A52F7210ED0AA88281,SHA256=49AA3B39E3754554323C3D89EB00917CFB966F7910C18E82513EDDFDB0968ACE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:26.111{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:26.111{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3412CC50E03D5DE19E0BCE1188E2C24,SHA256=5AC3998D8BDAF6FEACEDA9B712FCD6B4056D77DDB2AD0FBDDB2ED70A00D151E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:27.645{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA1A5A3CAFCEE24522126D3026383A7,SHA256=18285353BEFAB51330D1FDA51F32BC8B96C016FD112800D6C141143BF0CA4148,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:27.671{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:17:27.671 11241100x8000000000000000104318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:27.307{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:27.307{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FE96C538868B593A5D966C910EC3DF,SHA256=8AA2CBB625EDB05400DA6DA98DB09258CBE08F110E6BBD3186F0DD50AB9F5EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:28.744{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371941B9A60D039341A1670F1059CAD6,SHA256=574B1282137BDC59BC0E2F6EF56D29F3C5E03F859F417E0A1F94663E8AD7EC9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:28.406{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:28.406{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194655049B5BAE25AFA56114D5EEC271,SHA256=45BFD2274B3FD06124E3C940007BBF86BB79F232CE6E7BD7E9F2342B54914C29,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000104379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:29.955{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000104378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:29.955{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x8000000000000000104377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.752{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.752{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409F7C3A6C16E6185505C82C0A87A3B5,SHA256=46512276A097964E71912E9DBE3C223735D7CA8518989BE6FC533FDBA466100C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.752{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000104374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.752{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EF4D5B498AF15E3B01ED7DAF24618AE4,SHA256=BDB69644E0300C80CC5DF300DF1E870725BB6C0789F9288D0275D1D4F844F6E4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000104373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.442{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000104372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.427{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000104371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.427{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000104370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.208{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000104369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.208{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000104368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.208{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000104367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.208{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000104366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.192{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000104365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.192{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000104364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.192{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000104363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.192{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000104362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000104361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000104360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000104359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000104358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000104357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000104356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000104355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000104353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000104352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000104351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000104350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000104349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000104348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000104347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000104346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000104345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000104344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000104343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000104342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000104341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000104340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000104339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000104338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000104337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000104336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000104335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000104334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000104332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x8000000000000000104331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000104325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.177{7DAC9CB3-C4F9-63BE-BA01-00000000A702}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000104322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:17:29.161{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c7-0x6ffb88bc) 23542300x800000000000000040494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:30.081{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B438C8946BF684B14B1625DD70DCA05D,SHA256=60875742F25087803DF2E7568422E1C2E4E61173FD9760673161021D25C35F77,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.993{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.993{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F014B12BEB32B64DD18C4973676C3B6,SHA256=5822E4C749879698D0EC0AF6D094007E42926DBB1271833CD9CECEC7AC666143,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.883{7DAC9CB3-C4FA-63BE-BB01-00000000A702}25121016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.883{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000104430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.883{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000104429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.697{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000104428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.697{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000104427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.697{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000104426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.697{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000104425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000104424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000104423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000104422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000104421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000104420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000104419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000104418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000104417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000104416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000104415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000104414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000104413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000104412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000104411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000104410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000104409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000104408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000104407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000104406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000104405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000104404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000104403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000104402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000104401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000104400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000104399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000104398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.681{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000104397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.680{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000104396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.680{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000104395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.680{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.679{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000104393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.679{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.678{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000104391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.678{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000104390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.677{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.677{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000104388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.677{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.677{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.677{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.676{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.676{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.676{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.676{7DAC9CB3-C4FA-63BE-BB01-00000000A702}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000104381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.268{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000104380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:30.268{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF834C6142915EA8B2CC3D0A41C5E268,SHA256=45422063B1BD829F63699614B34B3C09AB5D8AED677DFB42B4C3FF446D4ABAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:31.398{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B05087533C862C1D67664A3FCD02532,SHA256=45F076AA5AFA326BDF91B22877195523F4797FF0606AABAE14B574D47D4880EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:28.705{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50018-false10.0.1.12-8000- 11241100x8000000000000000104496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.659{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.659{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004E2099F5586C54A5EB59CC07828501,SHA256=C0F8E9913A758CF2A245C690199B3D659B138254FDBE9A218529B93C51DA0759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.603{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=50DA9AC0C04CFC2F7A4B531FA066267B,SHA256=BC1E9AEA336E0C43ABD75A5BED0EA728DCC3789F2FA6BC8C55D3A0A03A654A38,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000104493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.386{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000104492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.386{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000104491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.385{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000104490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.196{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000104489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.196{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000104488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.196{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000104487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.196{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000104486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.180{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000104485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.180{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000104484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.180{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000104483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.180{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000104482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.180{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000104481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000104480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000104479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000104478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000104477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000104476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000104475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000104474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000104473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000104472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000104471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000104470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000104469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000104468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000104467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000104466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000104465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000104464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000104463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000104461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000104460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000104459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000104458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000104457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000104456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000104455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000104454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000104453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000104452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000104451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000104450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000104448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000104447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000104445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.165{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:31.166{7DAC9CB3-C4FB-63BE-BC01-00000000A702}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.763{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59600-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000104437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:29.763{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59600-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000104436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:28.905{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local123ntpfalse168.61.215.74-123ntp 354300x8000000000000000104435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:28.859{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59599-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:32.380{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1FCB83485082A900D200F73C985A83,SHA256=BA78983A25967FE0135BFEA63E8F77050212718DAFCDA97203BD9CCA5C81DEC9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:32.088{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:32.088{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38046281C4300621C0D1B340592C562F,SHA256=F6CD61C1C38A96540DEDE8E054048EF4085528106E9378F4459D87DE0049C17C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:33.466{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB78A4636DF4C26B681C79914451D386,SHA256=AFF774765F442C7760F457379AB761DCFDB300E7AFD58C9E38156032FF291B26,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000104551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.401{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000104550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.401{7DAC9CB3-C4FD-63BE-BD01-00000000A702}39682124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.401{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000104548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.401{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000104547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.235{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000104546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.235{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000104545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.235{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000104544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.235{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000104543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.235{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000104542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.235{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000104541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.235{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000104540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.235{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000104539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000104538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000104537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000104536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000104535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000104534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000104533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000104532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000104531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000104530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000104528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000104527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000104526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000104525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000104524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000104523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000104522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000104521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000104520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000104519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000104518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000104517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000104516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000104515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000104514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000104513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000104512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000104510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000104509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000104507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.220{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.221{7DAC9CB3-C4FD-63BE-BD01-00000000A702}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000104500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.204{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:33.204{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4449CAE22691D14C38D9072558D331A2,SHA256=B21943D44876F6B5405C8CB82210A35FF37F6E0281DF9C757889F57B030F778D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:34.558{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE73497A14952B0A8E1D3986D7D6BD7E,SHA256=1C9CF9345C5A76B0992F104B9AC5F94E1A152C0BBDB4D50EDA5C6443CA08C32C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000104658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.854{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000104657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.854{7DAC9CB3-C4FE-63BE-BF01-00000000A702}19441608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.838{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000104655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.838{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000104654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.682{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000104653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.682{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000104652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.682{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000104651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.682{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000104650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.666{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000104649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.666{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000104648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.666{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000104647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.666{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000104646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000104645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000104644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000104643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000104642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000104641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000104640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000104639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000104638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000104637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000104635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000104634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000104633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000104632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000104631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000104630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000104629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000104628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000104627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000104626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000104625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000104624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000104623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000104622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000104621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000104620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000104619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000104618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000104616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000104615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000104614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000104612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.651{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.652{7DAC9CB3-C4FE-63BE-BF01-00000000A702}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000104606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.463{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.463{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A658F37F921E022F4A8F400DEAE2856,SHA256=E4D8B2318FC4182C872DB5B7D1181E31463A179278E79F358DDD92029BE9DC95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.448{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.448{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9338A84B97F978517DDFF5F001F9FE,SHA256=A246220C64ECF78FBA54F21A7279BA2BC6C844B1429EE8E5E0D06729F6E7ADBC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000104602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.432{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000104601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.432{7DAC9CB3-C4FE-63BE-BE01-00000000A702}18242096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.417{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000104599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.417{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000104598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.192{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000104597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.192{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000104596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.192{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000104595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.192{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000104594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.177{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000104593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.177{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000104592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.177{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000104591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.177{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000104590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000104589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000104588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000104587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000104586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000104585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000104584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000104583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000104582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000104580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000104579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000104578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000104577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000104576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000104575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000104574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000104573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000104572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000104571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000104570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000104569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000104568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000104567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000104566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000104565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000104564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000104563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000104561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000104560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000104558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.161{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.162{7DAC9CB3-C4FE-63BE-BE01-00000000A702}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:35.651{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C38975129CAB043C7D3908386322EB9,SHA256=574262CFA1258A1BFA771B5A38B2CFAC44919026FCEC410AE5213015AF5B4060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:36.848{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C1997850CBFA0E91CFBA037A0EFE05,SHA256=1E43414B4714BADD3511D6F4D9C7F7C3DBB61DC2A45F2506B9538F216C92CA0E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000104714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.743{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000104713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.727{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000104712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.727{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000104711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.540{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000104710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.540{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000104709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.540{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000104708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.540{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000104707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.540{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000104706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.540{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000104705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.540{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000104704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000104703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000104702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000104701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000104700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000104699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000104698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000104697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000104696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000104695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000104694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000104693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000104692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000104691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000104690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000104689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000104688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000104687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000104686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000104685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000104684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000104683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000104682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000104681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000104680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000104679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000104678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000104677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000104675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000104673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000104672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000104670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.524{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000104664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.525{7DAC9CB3-C500-63BE-C001-00000000A702}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:34.016{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59601-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000104662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.095{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.095{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A2D7ACCC491AA4765BCD029C69193C,SHA256=FC343A81DE1C3402BF19E9CA8C7E5080E48472705D5651D6F445C84526405B83,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.095{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000104659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:36.095{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=362F7E34432EB2DAEF1CE20F68012099,SHA256=4C44DF7F846184A9809560DF1687CB8D06674DDDD213F26D531878AB4ED75A4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:34.669{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50019-false10.0.1.12-8000- 11241100x8000000000000000104716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:37.729{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:37.729{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA210E405C093D8E87F940E9B7C0ADC6,SHA256=6DB8FE8B84EF903CD123E9A438979F273B4E444A9BC7A4E4150F4234E0695FE9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:38.835{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:38.835{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1093B0E9EBC96A0CA72EB7ADBAAD2DF,SHA256=F60A18247C4B7D1205E8CB65CF80808AFA38A8B5A3392F3E357BD25BA08BA882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:38.058{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125CA498DA2A93D54FC99FDD87660B11,SHA256=949733019B82005EB30F00F35661988C4B1E184873DD13742815A2CB80BEE81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:39.260{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357CA08AB220F38248077CCD332E005D,SHA256=FFC0FB53BD506E8142E6059CDF59C28D9C4613309BA5309889D2EB283D23B48F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:40.487{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0536D61D64C33C82A9B30C3CFBBB7D1,SHA256=4F09CF2E1A3AFDD34078A72D8C63340D61C545339237A703E10113E2E69FCE39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:40.042{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:40.042{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6B34DD40A3D9FE0FCF7A4CB222A199,SHA256=D8321E094874DCB48719B9B6FF9FFA8C343DB055E11CBACCB84F4A6A0756B745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:40.172{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-026MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:41.573{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BD0E6DB21327DABEBE811685A3BD45,SHA256=D9A97CCD7B8D387F3AA0C81E810DBB2E691918AC5AEB7155329232C2B38B06E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.374{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x8000000000000000104741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:39.896{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59602-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000104740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.354{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.338{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.333{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.330{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.325{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.273{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.267{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.255{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.229{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.215{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.203{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.182{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.163{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.127{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000104726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.124{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.122{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0065C3EEF909B89DA8E8D2532598AB,SHA256=3226A8326425E2671DBB6775DDE8BFFB119058829C846F1F7BA99A3FA8371B91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.111{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.093{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000040507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:41.175{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000104721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:41.009{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 23542300x800000000000000040511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:42.665{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4365509FB2F5A5550352662D0F6E8F82,SHA256=4F50A306B5D73152EB8C0D37EB8C35689FC0EEE52387748CE7B278043F63D170,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:39.717{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50020-false10.0.1.12-8000- 11241100x8000000000000000104751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:42.141{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:42.141{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9974AFACCBDCE0EA6A543320EF1707A4,SHA256=F7E848D02057340C1AC931CF449D3BD8AADAAF0F85AE31F58AFA514F023A5392,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:42.096{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:42.094{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000040509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:42.028{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7A861163F72F6EF0D335BC4AE097402A,SHA256=BD57456FC349ED0BE2DEAC44E706D10D0BFD1CFA8935F64B31645698041BA504,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:42.089{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:42.087{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:42.077{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:42.072{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:42.066{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000040512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:43.756{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F71AB06AFCE6182B9B25C2564613EE5,SHA256=67823A61E37A7D83FE522B13A5AF90BBC4D16C03FC026B5A88899B385CB7F755,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000104753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:43.123{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:43.123{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AC9BBE915132D551A85F6A91FFAC31,SHA256=DD1D83DC8FF1EDF8EA6E8B42C90A3D2A2E5136A36FCD54C05A243A954223B0B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.762{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.761{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.759{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.753{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C059-63BE-F300-00000000A702}6208C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.738{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.722{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.690{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.680{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.669{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.661{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.658{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.655{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.652{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.650{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.649{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.647{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000104758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.333{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000104757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.333{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C80C8C2C253520DD8514597891BB98,SHA256=C07442743B735E19E4CEF2F11FABCE4F88999F51EA9B43273022DAF4CC5CFE64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.671{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.666{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.658{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.651{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.649{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.645{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.644{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.643{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.640{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.635{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.624{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.620{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.616{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.607{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.593{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.589{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.561{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.548{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.501{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.494{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.484{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.473{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.464{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.454{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.443{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.435{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.425{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.414{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000040513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.411{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x8000000000000000104756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.132{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.130{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000104754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:44.129{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000040542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:45.129{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB6DE768C71485EB4FEF9AC4BB4512C,SHA256=FE6D8E03AE0ACCBE850343D18C7670C73507BE31737BEEBED0E380A3C5EF7996,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.559{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.559{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661CD28BA2B8C05E714C741FDF5AB5BD,SHA256=684B07B3F6C99BA663F318CFBB6E732B09D12504E04A56837BE0195E50CB9D96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.543{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.528{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5553AA64255AAC3D58B17C07718B4F15,SHA256=9C3B166DE0437E6BFE67315BCC1FEA3420D39EC89E97D664C64EEA4B225829B4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.512{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.512{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD614E0C1DD9036CD712EA09A48F5667,SHA256=8A042C4D59ECF0E951A428B9B9D725A1E23CE0EEA5131A15FFCC5680ED1A0380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 12241200x8000000000000000105033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000105032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000105031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000105030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000105029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x8000000000000000105028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.146{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08,IMPHASH=9178CB7144790F36275451518A7203D6trueMicrosoft WindowsValid 12241200x8000000000000000105027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000105026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000105025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000105024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000105023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000105022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000105021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000105020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000105019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000105018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000105017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000105016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000105015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000105014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000105013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000105012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000105011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000105010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000105009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000105008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000105007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000105006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000105005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000105004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000105003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000105002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000105001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000105000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000104995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.146{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DA,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 12241200x8000000000000000104994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000104978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000104977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000104976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000104975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000104974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000104972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.131{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2,IMPHASH=AB84E6F170EE70C2F0F5C709A85E872CtrueMicrosoft WindowsValid 12241200x8000000000000000104971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.191{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000104951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000104950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000104949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000104948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000104947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x8000000000000000104940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.131{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7,IMPHASH=5CFF0D3EC414472191BC623FB107BCF1trueMicrosoft WindowsValid 12241200x8000000000000000104939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.176{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000104927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.146{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.146{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000104925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.146{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.146{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.146{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.146{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.146{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.146{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.146{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.131{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.131{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000104916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.131{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000104915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.131{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 12241200x8000000000000000104914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000104913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000104912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000104911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000104910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000104909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000104901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.097{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4,IMPHASH=EE3767E8CDC80CCB91A8FC0A7407A4A9trueMicrosoft WindowsValid 12241200x8000000000000000104900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.115{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.114{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.097{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.097{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.097{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exeHKCR 10341000x8000000000000000104886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.097{7DAC9CB3-BE89-63BE-1600-00000000A702}13005832C:\Windows\System32\svchost.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000104885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.083{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 12241200x8000000000000000104884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000104883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000104882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000104881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000104880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000104879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x8000000000000000104869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DAB,IMPHASH=8BFED2C4A0A233671E2426106589658DtrueMicrosoft WindowsValid 12241200x8000000000000000104868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.083{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.065{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000104859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.065{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000104858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.065{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000104857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.065{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 734700x8000000000000000104856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.065{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000104855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.065{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000104854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.065{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.065{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000104852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.065{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 12241200x8000000000000000104851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000104850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000104849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000104848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000104847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000104846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000104837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000104836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000104835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000104834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 12241200x8000000000000000104833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000104829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2,IMPHASH=20C3512CFF09FABFB994B8B9DBF73B4FtrueMicrosoft WindowsValid 12241200x8000000000000000104828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000104827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000104826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000104825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000104824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000104823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 12241200x8000000000000000104822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x8000000000000000104821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x8000000000000000104820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 12241200x8000000000000000104819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x8000000000000000104817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x8000000000000000104816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 734700x8000000000000000104815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000104814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000104813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.050{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000104812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000104811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 734700x8000000000000000104810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000104809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000104808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000104807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x8000000000000000104806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000104805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000104804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 12241200x8000000000000000104803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.035{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000104802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.035{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000104801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000104800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000104799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.035{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.019{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.019{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.019{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000104795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000104784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000104783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.012{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000104782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.012{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000104781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000104780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000104779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000104778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:17:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000104777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000104776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000104775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.003{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:44.847{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50021-false10.0.1.12-8000- 23542300x800000000000000040543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:46.285{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF719CC80E0F6445CE522736DBE8514F,SHA256=47826C430F579CC2BC3AA11D36E653BD89F31536B360446390094BCD4EF62B2F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:46.613{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:46.613{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6009B955B09C5D89053F2B6961681FB8,SHA256=DB3C34ADFBA825A944347EBA9A72BCABCF65FEDBBC30E13F38D2D1EEFA69D312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:45.045{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59603-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000105047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:46.162{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000105046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:46.162{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B92B53BC6A91467A9362553915A3CDAA,SHA256=3556B8343EA0B3DDCE0994E974FF2C05D8239237B6E6FEBFBDE24C6B122E59B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:47.380{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF8015083A4D66F287628CA4C26F297,SHA256=319438E230C764F1AF24E07D1660F3D0C5603341A3B3159926621389932EA794,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:47.584{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:47.584{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0753C64B7ACFE5392465C61AE3AA11A,SHA256=C4FBE9DF61887769F828F5D9A7F350E03A887441754ADC064C79D2821D77F81D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:47.051{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000105052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:47.051{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000105051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:47.051{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000040546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:48.582{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BB0CF381D9FA11CC23905CFECE8174,SHA256=77A307D232CD4B41FE2B02C14A1A0C99E983FC560FF2F4D20B94FC361E2B2E8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:48.680{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:48.680{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6B01443BFC4F596E3BF084102B1289,SHA256=DC4FCB9FE29D1520661BCA2ADAD9EFA07965766BAFFE26CBAEA69657716B37DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:49.890{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4327B50500E9DABA9647F5D4F0E254A,SHA256=F04276B9B2AF220F66C0676000B017DAF46714FB4DFC98EFDA18B824C42E5834,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:49.774{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:49.774{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A853563E6C4B4B0C41F10F2793136DD2,SHA256=868FB3E20838AEEC2C1F1AF782E482F39115E959E96B27666289B57498B49601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:50.988{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC4EC6FA48BB13EFC23AE4E2FB59C67,SHA256=D7C14389EE38A7E311A1538E71F9A2190B8D760E253783DC46B307719253CD0E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:50.969{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:50.969{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2287473D8FA74A35E57CF54EAEC52C2,SHA256=FF350B2EA996FB0599F96725A200DCA342DA7C96779ACCA7620D97930A343D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:50.800{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50022-false10.0.1.12-8000- 23542300x800000000000000040549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:52.080{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13ABDE4BD0E7530A77CA3EDF2DE61DCB,SHA256=73D4927B448E63F6FB6FD1A444CEA448887C734FDEA6F350F21D54DD3FB9467A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:50.934{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59604-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000105063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:52.061{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:52.061{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290728ADAC1DAB97EAC58FC948A3AE73,SHA256=6873DA2210AADBED2663757170C388EF7789C858976AF297313BF9DE9E1F3BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:53.168{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A25D563176499D4E72045E5BF6DE4FA,SHA256=8F1817A6AE9D2E0F2ACB52858780D8BA006CCEA3CEA1344A1172B9D2FD309B3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:53.148{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:53.148{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520039C8D789EDD611DEF5851C406DAD,SHA256=AB077769F4BE3C2283F9EF63ECBACA09226194F510362294D04241B811D9A26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:54.273{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894BCDED02CB7875B93D3BD565CB7B8F,SHA256=57B04102588906835E933A9E7FA4193BA0741C3B971D6A2589A2935B1C10D4A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:54.235{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:54.235{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0D42F8366E68D5263CD227B91A7F3F,SHA256=DFDBCEA491DC87CA4C3FF7BE373F82137F63FD65843A6A379DBC541CF78EDB7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:55.376{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8145279D734E66DF89B11426E9081136,SHA256=E66084E27A12365A60FD84936B45056FB7532787DAD104323FBDFEDB3E9ACB37,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:55.322{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:55.322{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFEF101EE85B6CD6FA831A794056551B,SHA256=139156E36691397FDB66E01D03E468342232D36F1BA5888EE2A32BAA4265C107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:56.491{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE03CBF13C665752270197790E3ECBCA,SHA256=7DF93E0413EF954F51C48DE524BB99D0DEF59787D9624849013A9A58FBD88FE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:56.413{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:56.413{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784A552578AD9FDF2865507E68599DC4,SHA256=E96530F470F1ADE41D26B0A51A8CCD309128F11C87C0E0F41FE2F6F9E07B7017,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:57.654{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:17:57.654 23542300x8000000000000000105077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:57.627{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-026MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:57.625{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0262023-01-11 14:17:57.625 11241100x8000000000000000105075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:57.623{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0272023-01-11 14:17:57.623 11241100x8000000000000000105074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:57.498{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:57.498{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BAC3597ED83A6F410673D52EA5A88B,SHA256=82BF3D4AA358204E32E0A6EF9584C088A414C09D460C8F574B82FA0087CE36D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:57.997{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F671223968BC540A5FF980C868810381,SHA256=0A1EFEED0281E1AD54A4BD25BABED12678DAA7D3519497B17C0F533C0B6FB765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:57.589{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF14477FA6EE2BCFF54FFFF66DE5011,SHA256=9695D35B3A55A9A4F2DBE26E74CF2B7976BB19B238C9F7F246811CFB819A247B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:56.679{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50023-false10.0.1.12-8000- 23542300x800000000000000040557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:58.667{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116530D6F7534227A41AF201619A682F,SHA256=2A795DCC8B4386042A2C60F7707A50F3E5B98719C4717A19DC73781ED5CC511A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:58.634{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:58.586{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:58.586{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A6D0B87DA95C42D4403A22C14ADDB3,SHA256=216D2B7FA5E23EE4E31B9C16C41A1928402AF22B614B54A401E2377CB251637B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:56.883{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59605-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:17:59.975{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75191A6F7E8E0B3C31DEABF4AAAFA7D,SHA256=0231E2C628B0A4FB03F7185B78F2547FB99E7322270C269A5A2F6B7E1071E815,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:59.671{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:17:59.671{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E88C335580EE91CDB797FA4BB0F0E0,SHA256=894BA13EBE6A674F7CF853D0BDA0FD4E2C6FE4733AAF651ADE0A6ECBA7EE5B35,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000040568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:17:59.120{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000040567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:17:59.120{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0019b7ad) 13241300x800000000000000040566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:17:59.120{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925bf-0x1f88f172) 13241300x800000000000000040565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:17:59.120{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c7-0x814d5972) 13241300x800000000000000040564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:17:59.120{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0xe311c172) 13241300x800000000000000040563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:17:59.120{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000040562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:17:59.120{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0019b7ad) 13241300x800000000000000040561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:17:59.120{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925bf-0x1f88f172) 13241300x800000000000000040560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:17:59.120{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c7-0x814d5972) 13241300x800000000000000040559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:17:59.120{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925cf-0xe311c172) 23542300x8000000000000000105087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:00.783{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=951CA84E8A7BB65127D2D06459EF9EC9,SHA256=BD96B2A425EEDFB352FC6BF5FD61AD6E9F03D2056C8623D685B58A297ABBE8A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:00.765{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:00.765{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C162C8E1C392213BEC0E5A12C6EEC5,SHA256=6788F5BC980CA42B933E89B778376049833EA74EB1D46ACAC3D9836102B6A58F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.827{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.827{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B311AAFE066AD75DB036DA68C8B17816,SHA256=CBA414A253D65D9F7B409FA1D489790888848614B4128E80DF1976FC18103DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:01.068{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B444A845C4CF6638250DFE280F6BCFE,SHA256=F5B38EA8B1406B015D595F21E395025719201BC64510A1795FA8C13EA7EE3527,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.705{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.702{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.694{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.691{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.681{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.674{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.669{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.210{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.200{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.193{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.190{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.187{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.183{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.156{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.150{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.142{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.130{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.117{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.105{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.095{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.088{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.076{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.066{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.056{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:00.998{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000105119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:02.930{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:02.930{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AE344A14B141FC647625BC5FDDBD21,SHA256=E9DCB2FEE02E778C11B80081FF6EAA8E51803011D12AD2AA47C4A395F25F0FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:02.166{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6530D7E2AF615096585F0117AD142D8,SHA256=9A9C137FF26113F18DEA21ED043E3413128D1BB6D7C25E0594C9086CC6D92EAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:02.126{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-11 13:50:01.763 23542300x8000000000000000105116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:02.126{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2B892F007F297587AD2611FAF00EFD49,SHA256=DB34D0275D3482D85E5632BCD767769B36E6B83CE82B2F5848824C14D485C0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:03.260{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E99436BE2D8D2200ED2B2B8747168A,SHA256=D93BD5FEFAF7EA49A5B1E53DE7C859CF0A38F21F50728B3E765490DCA987E7B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:01.918{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59606-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000105122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:03.730{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:03.729{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:03.728{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.377{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.372{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.371{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.369{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.339{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.324{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.291{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.281{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.270{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.262{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.260{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.251{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.250{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000105126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000105125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.153{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:04.153{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E92A1D58EA85E61E365907A99BD2C1,SHA256=6E4B49F4535593F35EC39A209D490AF9327E3CAD6A064B8496CB5555E1ED95F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.725{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.716{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.710{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.706{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.705{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.701{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.699{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.697{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.695{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.686{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.673{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.669{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.664{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.656{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.645{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.641{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.617{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.601{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.553{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.539{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.521{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.493{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.487{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.481{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.469{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.459{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.452{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.436{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000040574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.426{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 23542300x800000000000000040573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:04.360{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55779A342920E28F83B22B624B933260,SHA256=20F5D5815A1BB99D0721029C10BF2E155104BD0B13E0CF7925C7489D39A4D071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:05.468{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0035C81DDF0A841592ED87128A5048A,SHA256=90E41A85F8B48A21B23E424B874EB513DE196D10CB9B6D91EF949A74D0737A94,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:05.219{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:05.219{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1EC215EB08B369847F9784B4B96315,SHA256=F842167B6D1D4C86B156858DA0ED26DAC5EB0D3FC5C22D4B60899800B5E22CE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:02.667{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50024-false10.0.1.12-8000- 23542300x800000000000000040605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:06.655{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302EEE67FE901BD5E6E7AAA78FA24A97,SHA256=6069C59F8D4B703DE3CFE678EBDB92B7370BCFFF78E470AE1B00EEB7CFF095F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:06.305{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:06.305{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFAFA9740B9D7830E64E7D6BE3DAA125,SHA256=ACA7DB7A0AC589227F3F1B22DA9FB508493220493CCD1E69D00DFC5DE5061A6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:07.832{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:07.832{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:07.832{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:07.815{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:07.743{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB6EE90C3CEDD41B036C53DC6174DF1,SHA256=45526E5EC98629B364EB7CBD23E7430A7F417C5D8B60111409FB5AFB85866FF0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:07.385{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:07.385{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1451933D5E055E10DE5254B2299F30C0,SHA256=1B838F1E8B00F57210F5CA9C438AF2D8DFFFDFE15422A675EEDBA4B5ABF8B468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:08.837{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8ED62EC2C577F32453F33FB7FEDFDD,SHA256=7A9835546C5EEA37D669011E6754CDF67AB64E54965D432B2BD0BA9DCDE97222,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:06.942{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59607-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000105149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:08.480{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:08.480{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC10E0890D2BBF13DB603EFEEF55ACB,SHA256=AC56726D609CB21D3EA37D4A3F799E3D56BC3B4682256F740E8176D393264E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:09.928{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B441AF1C7A1F81B920DA14C38A3D55A,SHA256=E0154FB655C0C9F5516CE2D4B06BD100FC490DE687B2D7E081C3F2289699D67B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:09.572{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:09.572{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821DD1667AF1A172C757C71EA5F58AEF,SHA256=FC574E18F563B2EE73B52C9E3C8059F38B70E4B33458A1FE376D776E6734BA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:09.415{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:10.673{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:10.673{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15271CC90ACC02E53A928FAAFC89C0CD,SHA256=77A3931721E54B9F0AC8A1CC678A15B356C1BC3C9E28293E2F60F731D16456F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:07.777{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50025-false10.0.1.12-8000- 11241100x8000000000000000105156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:11.780{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:11.780{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32E049F14110CDE01F6B469E028066A,SHA256=0CC9921AD4872A2138A6FC799E76D61C3813812B84E791492640560A17D4A92E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.859{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C523-63BE-6001-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.858{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C523-63BE-6001-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.858{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C523-63BE-6001-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 23542300x800000000000000040644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.824{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A3D3FC579ADF288DAD968F279F52489D,SHA256=16F2956FA78195E0693DCA89FE209A4409D3EC8CBF020144F0DF1E83511B9E45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C523-63BE-6001-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C523-63BE-6001-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.514{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C523-63BE-6001-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.515{3EE3745C-C523-63BE-6001-00000000A802}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.295{3EE3745C-C523-63BE-5F01-00000000A802}36921880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:08.994{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50026-false10.0.1.12-8089- 23542300x800000000000000040628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.154{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136BCAA7A2DC9361E59E818278E1F218,SHA256=B575449AA07E09BFB1227E9DD76316A2E62E1769C7179550913A951BFFF5AD42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C523-63BE-5F01-00000000A802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C523-63BE-5F01-00000000A802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.014{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C523-63BE-5F01-00000000A802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:11.015{3EE3745C-C523-63BE-5F01-00000000A802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000105158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:12.887{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:12.887{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13292D8EAE1ABCBAFFF7EED04A97DB55,SHA256=70415FBCC75E1208B7E4F938223589900EB5163BDA5F145D4606210F8980ABEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C524-63BE-6101-00000000A802}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C524-63BE-6101-00000000A802}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.379{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C524-63BE-6101-00000000A802}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.380{3EE3745C-C524-63BE-6101-00000000A802}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.254{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC0221A1416DED128F3FEC1227FD48E,SHA256=47A48608BDE691790EA903C1747B957D360CFAEBB616D531E9CA2D229BAEEDFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.192{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0CD972F9E9F733CD71CEBD47FA493302,SHA256=1F3C4520D5930913588DE696F089A5BA619E7ABAA8A08A014B517C631C3152B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:12.160{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E440E5E9EAF60CB62329A9DA3E5E658B,SHA256=9C8F59AC57A506A9F65FD69EF7965848CEAD3FEFA513121F4962C07FB5D22E07,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:13.971{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:13.971{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAE91242A432348AB6D1D73D940218C,SHA256=86B84AD473A70CE5201063877C1DDD63D035DE015B49D2CB16A66506D1A153D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.939{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C525-63BE-6201-00000000A802}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.936{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.935{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C525-63BE-6201-00000000A802}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.936{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.936{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.936{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.936{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.936{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.935{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.935{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.935{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.935{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C525-63BE-6201-00000000A802}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.935{3EE3745C-C525-63BE-6201-00000000A802}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.231{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F7263E3C21754E649E354E0BCC093D,SHA256=AE04CDF6F2171624A996032CB998726B8B2433EDEEC87533D7205FC25C554BBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.799{3EE3745C-C526-63BE-6301-00000000A802}13601340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C526-63BE-6301-00000000A802}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C526-63BE-6301-00000000A802}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.611{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C526-63BE-6301-00000000A802}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.612{3EE3745C-C526-63BE-6301-00000000A802}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.346{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558EBFF946565A3F9425E9CD9D69A302,SHA256=4BABA3AFEA9CB70F40FF080E64F04867B272E0413D472B149D8A2A318253A10B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:12.009{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59608-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000040678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:14.127{3EE3745C-C525-63BE-6201-00000000A802}36361392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:13.657{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50027-false10.0.1.12-8000- 23542300x800000000000000040708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.644{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF75E10F894BBC455232DFFEB4EC9F4,SHA256=3E4754275413698375A0BBA5D361AC2585C256B68E4147CC169E1B06BD778883,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.598{3EE3745C-C527-63BE-6401-00000000A802}10841388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000105163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:15.070{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:15.070{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3F8DC17ECBF9D08D8324AB1AB95B64,SHA256=22ED8BE7302D1D75C394B6B7B687BF7560201A0F06DBCD958D5757996073B512,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C527-63BE-6401-00000000A802}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C527-63BE-6401-00000000A802}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.285{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C527-63BE-6401-00000000A802}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:15.286{3EE3745C-C527-63BE-6401-00000000A802}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.662{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37E3A0DFB6CB90D46DB528C1452DBD2,SHA256=44E9610841CB80687405DBC5BBFCBB7DEE16AB2DABDEF9A360A23D2A6D7F9ED6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:16.165{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:16.165{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BD3EDB955A7E34BE2D59A7C4D10919,SHA256=4C188CF2B95092A29803B17323E737EF54F73F37B3C417A9DEF4D74D65C3D68D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C528-63BE-6501-00000000A802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C528-63BE-6501-00000000A802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.489{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C528-63BE-6501-00000000A802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:16.490{3EE3745C-C528-63BE-6501-00000000A802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000105165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:16.076{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000105164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:16.076{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:17.753{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FD20F5DCAA546A4D194B95F1F5564B,SHA256=C5D75486E37DDA31935B14A4A329BEFC74E08FAD20F5AF9770F56ABDC1DDFDBF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:17.262{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:17.262{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF3C41A68074327C823F5D40A2605C1,SHA256=E999F8305DFC9CDC18ADC15A874D7BB1F1559D7598E47AC93E63B34715DC08C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:17.565{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9867B5B0EDFBC8B85DCD2CED5C985770,SHA256=DEF6FA098FA92397C29E781DBC6DCF096D5A30CE427EA67CC6EC1143B161E9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:18.844{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305BE6BEB8AF81CD1FAE61202DC94FBE,SHA256=914DEB665924FBC7B7991F86CEC799EC9ACAA3696FCD9EC08746E1A708CC6994,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:18.474{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:18.474{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBAA3EF595DF95477585947EF59F6EC0,SHA256=55E95ECE950CC6F8EFAD34A10ECC7AA70257EA28DCD209F31A04F05E0E2C3540,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:15.867{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59609-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000040727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:19.932{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E09995B2604F7E4372B3153FEB828D,SHA256=7103FFFA03AAB4F950AD03B327969D53194E51DE8C6EA6848C28870EC120B72D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:19.574{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:19.574{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B8D60577766349E288D0F32C289FFE,SHA256=ADD2023755CD093102E5C3B22AE684EFA9885B03DC38CA183A33C4EE3F362A40,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:20.671{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:20.671{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDC6F95440BDDEBB8976007074B7FCD,SHA256=F09885AE705DC177E0082C953AB77015B77D5A474843B937A0B53ED1F8783433,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:17.966{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59610-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000105205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.838{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.836{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.828{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.825{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.814{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.809{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.804{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 11241100x8000000000000000105198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.715{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.714{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97A321C9B39D90825DC296F4A518CC1,SHA256=6222195F8466C2B6EBD9BBDE6D2953FAD4BF01A3F197935E14AAD94A362EBE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:21.026{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F5AB981E002658C3BD865533602E75,SHA256=701394EE7A7E833B9B18167049672C041903A5FA26C6B1D4F0D4D1B04B4EC598,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:18.745{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50028-false10.0.1.12-8000- 10341000x8000000000000000105196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.276{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.263{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.250{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.244{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.203{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.195{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.188{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.170{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.155{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.143{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.129{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.118{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.101{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.079{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.065{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.004{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:21.001{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 11241100x8000000000000000105207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:22.819{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:22.819{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680DD1FB9EBA44895448DBB60B517B64,SHA256=8EA81B180DF0BB5276A8291982237507B52992CEBBB4A9A42749097D6898CEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:22.120{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610D7B1A484B414A413B43580E9AFC67,SHA256=5190DEBA66C531223FBA8FEE56BAF43D5783278532AB16D1508EC6B1D4B97798,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:23.930{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:23.930{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63105EAE49FF9FF6559DE221C57CEFC8,SHA256=D35F69EE232D0A10E7E9BCE18151FDE192E6F4253AE3E2E4AF374B34FBAD3CDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:23.884{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:23.883{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:23.882{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000040731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:23.228{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2CE265C30FB798998FF764DAD2C18D,SHA256=90FE8E873FC4F9C69922BBF4878FE0432ECB0FE928FF6BEA6467685D69A9F343,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.907{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.907{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399F5B6FA698691105810E0A26649FEF,SHA256=3C33E8BB678AABC63B4205D141771E8BE0A8293540A739D45A02D460CE1B1BCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.589{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.587{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.584{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.582{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.581{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.578{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.577{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.575{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.573{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.568{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.560{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.556{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.554{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.541{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.532{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.530{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.516{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.506{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.483{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.476{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.468{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.461{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.454{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.449{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.438{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.431{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.422{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.416{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000040733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.413{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 23542300x800000000000000040732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.342{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33D72A97E66C933340C60535CAEF9A0,SHA256=628D1540FD5B09D83219F58D37C45AF34BDF38B02EB543AEDDB0A55229F2C517,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.530{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.528{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.528{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.526{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.505{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.494{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.447{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.439{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.419{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.413{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.411{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.408{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.407{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.402{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.401{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000105213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:24.400{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405920C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 11241100x8000000000000000105233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:25.995{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:25.995{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69D962068F857EB9046F9A35E71A307,SHA256=A82A7A8B7151DC25A06E6AF48EC4CDCA62D6962AD5C3A7AD6575063EC5A9E1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:25.753{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BE8B717D0C48190A6C988922655D39,SHA256=756B9E31FBDAB70ECBEA745DD39B847A581506B52B8BB9B383B572C86865A76D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:23.048{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59611-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000105238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:27.651{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:18:27.651 354300x8000000000000000105237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:25.156{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local138netbios-dgm 354300x8000000000000000105236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:25.156{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 11241100x8000000000000000105235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:27.095{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:27.095{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6449AAE142955B2BDD57D7BA915704A,SHA256=4790B8F5797BCEF7270CC55077EEA85E8C9D694A58C985E28306B5D8EF4E8A78,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:24.640{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50029-false10.0.1.12-8000- 23542300x800000000000000040763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:27.063{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC5C6A8C382CF55147347AB5C5156E5,SHA256=7072AFABD5D50845C29DF83D427489AF27887E7D71FBAAC03B90A583784090D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:28.190{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:28.190{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D697EF8ACE07018A2AFDFCDAA3425AE1,SHA256=4825FDB330928A8C4810004CF3AA970F66D3BF0D581BA9470EB72C614197F4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:28.163{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9707EF2376E76072AB89E7C4086E2323,SHA256=75BA04F43B26AB1FB34754403DCA2332A24DA1D51A560ABA4555857D97E58A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:29.255{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6820205852D7478285233FB9B8AC6FE2,SHA256=5E3FE9B6146AF0D7A88809EBA8082935716EFF3CDCBD198E3B8A176A0494A011,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000105297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:29.957{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000105296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:29.957{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x8000000000000000105295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.834{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000105294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.833{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2F3FDDBD472A5C249D86B038DA075A4F,SHA256=04FA21BA56ECC4D8AC3BE0AA8DBAE8BF742E07423E2BD85F463041D6B1233B34,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000105293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.614{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000105292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.614{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000105291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.614{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000105290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.286{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.286{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3994D5D788F20BD701D4E3E854048FBC,SHA256=5509919538653A5CB48E97C19B5A37CFE884E1E5662F23FC03FEE6103EA75FF6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000105288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.223{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000105287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.223{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000105286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.223{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000105285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.223{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000105284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.208{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000105283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.208{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000105282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.208{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000105281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.208{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000105280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000105279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000105278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000105277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000105276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000105275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000105274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000105273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000105271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000105270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000105269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000105268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000105267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000105266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.193{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000105265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000105264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000105263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000105262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000105261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000105260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000105259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000105258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000105257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000105256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000105255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000105254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000105253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000105252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000105250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000105249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000105247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.177{7DAC9CB3-C535-63BE-C201-00000000A702}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:30.352{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0920829311F25CD6D8875AD7BAC7533E,SHA256=44FB5A9EAB6C1A05785B3D26892A60F827E782A4169B74177769EB84240909FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.986{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=14BE4996F658E11B595EC8655C05663B,SHA256=0A6F62DF452AB3AD9536C14F0FC208143815668CA7D127E52FFCD0E4F2B51262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.971{7DAC9CB3-C536-63BE-C301-00000000A702}68082688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.971{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000105356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.971{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000105355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.737{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.737{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.737{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.736{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.736{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.736{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000105349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.734{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000105348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.733{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000105347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.731{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000105346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.729{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000105345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.721{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000105344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.721{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000105343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.720{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000105342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.719{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000105341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.718{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000105340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000105339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000105338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000105337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000105336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000105335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000105334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000105333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000105332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000105331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000105330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000105329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000105328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000105327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000105326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000105325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000105324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000105323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000105322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000105321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000105320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000105319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000105318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000105317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000105316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000105315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000105313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000105311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000105310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000105308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.692{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.693{7DAC9CB3-C536-63BE-C301-00000000A702}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000105301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.458{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.458{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3121A025DCA7D92F477F6B628A131ADF,SHA256=4B62FA648E4EAF5A0761C1E8A9B8E93DEA9D253F17C8FBBE26412C2BB3261643,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.239{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000105298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:30.239{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545CA73829E2CAA4A00E52FAF9BCFEDE,SHA256=133FCE2A778FFCD952768B4E061EF6DF79D9F643D5CAF021E924FA8C7EE9E42A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000105421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.658{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000105420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.658{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000105419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.658{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000105418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.596{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.596{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BA98E2BA450F0A5420E09C24085DE1,SHA256=DB12CCD050A62B490E69CDCEE4EE0D41385F9D7AA5F53AFAB764FE73C01F8250,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.580{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.580{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F5475E1934EBF7D87F58C7969A05A2,SHA256=C97E1632D3D9307B2FCB8B95E3CB5C96342A9FA1D84A553075407ADD3B39D85C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:29.668{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50030-false10.0.1.12-8000- 23542300x800000000000000040768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:31.468{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B8ED01F793EE480854E99CCCF1D40D,SHA256=010320A2BA0B1FA410CFF7905AFFD4E38C180FCB102BF2DC9AD668B1898B4C60,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000105414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.395{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000105413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.378{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000105412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.378{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000105411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.378{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000105410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.378{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000105409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.378{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000105408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.378{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000105407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.378{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000105406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000105405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000105404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000105403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000105402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000105401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000105400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000105399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000105398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000105397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000105396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000105395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000105394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000105393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000105392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 354300x8000000000000000105391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.764{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59613-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000105390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.764{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59613-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000105389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:29.019{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59612-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000105388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000105387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000105386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000105385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000105384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000105383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000105382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000105380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000105379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000105378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000105377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000105376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000105375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000105374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000105373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000105372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000105371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 10341000x8000000000000000105367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x8000000000000000105365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000105362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.362{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:31.363{7DAC9CB3-C537-63BE-C401-00000000A702}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000105423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:32.671{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:32.671{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BCA7F6EF7DCB6FB4218ECA2E89003BA,SHA256=2A4180052C564390601F4E0A0761EF9FC70B62B4850A580478923F4F871E5DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:32.549{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5569E65D7C6BC1B4CA769667192BD15B,SHA256=D30A9EA19DAD050DE7EA6E93DC7B8FDE60795461B92A4D7F01A33370E51D0307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:33.639{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A943DFEC58A1D3517FC0C99FA49AE64,SHA256=F867CFE9C6DE3B6C7617F368A8460E3EB1787CBF8BEEDF14383D128F7CFBB1BE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000105474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.426{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000105473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.426{7DAC9CB3-C539-63BE-C501-00000000A702}26724572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.426{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000105471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.426{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000105470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.253{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000105469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.253{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000105468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.253{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000105467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.253{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000105466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.253{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000105465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.253{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000105464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.253{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000105463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.253{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000105462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000105461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000105460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000105459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000105458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000105457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000105456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000105455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000105454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000105452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000105451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000105450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000105449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000105448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000105447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000105446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000105445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000105444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000105443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000105442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000105441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000105440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000105439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000105438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000105437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000105436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000105435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000105433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000105432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000105430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.237{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:33.238{7DAC9CB3-C539-63BE-C501-00000000A702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:34.723{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E38D2ECC0BA3398C3324D1F225E8D25,SHA256=8053ACD97DA636D6EA72807363C8B0EBB3C0C1391C69090551A70392D17F61A2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000105587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.972{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000105586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.972{7DAC9CB3-C53A-63BE-C701-00000000A702}42364960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.956{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000105584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.956{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000105583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000105578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 11241100x8000000000000000105577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.741{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.741{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20017F7460A1805A61753300D7D2D37F,SHA256=E5A6BC10582BB24A4811E7F30EE5CA3898B4FE2123574A2D6504A61AA4FD0D83,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000105575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.679{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000105574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.679{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000105573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.679{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000105572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.679{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000105571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.679{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000105570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.664{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000105569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.664{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000105568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.664{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000105567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000105566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000105565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000105564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000105563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000105562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000105561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000105560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000105559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000105558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000105556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000105555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000105554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000105553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000105552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000105551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000105550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000105549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000105548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000105547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000105546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000105545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000105544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000105543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000105542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000105541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000105540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000105539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000105537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000105536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000105534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.648{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.649{7DAC9CB3-C53A-63BE-C701-00000000A702}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000105527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.257{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000105526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.257{7DAC9CB3-C53A-63BE-C601-00000000A702}65085636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.257{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000105524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.257{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000105523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.070{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000105522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.070{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000105521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.070{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000105520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000105519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000105518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000105517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000105516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000105515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000105514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000105513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000105512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000105511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000105510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000105509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000105507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000105506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.055{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000105505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000105504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000105503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000105502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000105501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000105500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000105499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000105498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000105497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000105496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000105495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000105494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000105493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000105492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000105491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000105490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000105489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000105488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000105486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000105485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000105483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.042{7DAC9CB3-C53A-63BE-C601-00000000A702}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000105476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.039{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0985D51C48E338DDC18B435063C29E,SHA256=26BC5CE390335255C2DF7CEB75DA430D7270972EFA306908B2EF19383CB5AE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:35.919{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF97B9035028196C31C06928DE09FBD4,SHA256=694E115C378D44074F7FA5F11719EC4F55DC8D277C184E423EEFE9C3974C57DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:35.752{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000105590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:35.752{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59FDF5B8B19716213594A4DAB22CBB3D,SHA256=5C36E1F32BF0F0B24E5CE5B9C058B70A6AC6D8B8CA75B1862BE2928D4D5D745E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:35.315{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:35.315{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C224BB80757BCF8805D6C9E0B6F938,SHA256=D125A28446426CE0DE14E658E4B6925D5F092543156B5BE7807FBCFFC55A4A7B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000105645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.796{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 354300x8000000000000000105644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:34.064{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59614-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000105643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.780{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000105642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.780{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000105641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.563{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000105640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.561{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000105639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.560{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000105638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.545{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000105637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.545{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000105636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.545{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000105635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.545{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000105634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.545{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000105633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.545{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000105632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.545{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000105631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000105630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000105629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000105628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000105627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000105626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000105625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000105624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000105623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000105622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000105621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000105620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000105619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000105618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000105617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000105616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000105615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000105614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000105613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000105612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000105611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000105610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000105609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000105608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000105607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000105605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000105603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000105602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000105600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.529{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.530{7DAC9CB3-C53C-63BE-C801-00000000A702}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000105593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.342{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:36.342{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0146028BE806704625DB46C9769EF7C,SHA256=01A6627EC164443A688594B674C9BA106656A0C6E5F13B8C077028A2E3D694A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:34.676{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50031-false10.0.1.12-8000- 11241100x8000000000000000105647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:37.655{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:37.655{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4325AE7BBAD91AE6A2607274AE23B319,SHA256=BF4C920B42C8795FE62D2D2541D405D877F4F7DE7BF90D4C6E1E2B3DB770F4B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:37.022{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC7CDAB5FCD785CA57AE056A40ED204,SHA256=681BF8F0B3DA5D9A2E1BDFDFDCDD2336BD5F3D2E82AE4511A561B61B2C03A0AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:38.771{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:38.770{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8073E7EF26A51A3DA6A8697DFC18E2B,SHA256=E1BD77D47A6DE9BF0D6A51B2CEEF2A115A6565C2C5954C642D80B02664E7AEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:38.114{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EE4AF88F5CB13DBC400CAF8AF3EDA1,SHA256=F4598EFAEF6AF3B3848C1F309AE08DE6FD4B55FCF8648B869BEA9DD9B81A8A7B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:39.866{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:39.866{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628D78AD8B4157CC7070BE21DBDD82BF,SHA256=F323C3F3427ABA9B4162141FE504A8F0B30C701CADC59ACEC5ED334D4E54DFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:39.310{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212906034002DD4D9914A7A91EA11F8E,SHA256=7B2E87DA883FC392A8849A7C392C207627DC91F7B7D034715C8CFCD6A105BC83,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:40.953{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:40.953{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DCCAF23270E55AA530FFD640E62456,SHA256=B3C2A5BED5D1F5DDD24C788F975779B5DE71ED8D22E9A9D4FE9728A84A9CED1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:40.407{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884EF0F3668B10BCE56FD34E1EB5DFDA,SHA256=2CFBE45F994F1F1FA0AD6A147C0BB6660DDD327AEBAAC1E57A4B9A6BB272EAE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:39.798{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50032-false10.0.1.12-8000- 23542300x800000000000000040780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:41.702{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-027MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:41.510{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC5BCA3A43626640BC67F9BB2627C24,SHA256=37E60AB88831B2E032F595AC7BCB8DAD2DF2331C7499C2D5D791385B4CCB8403,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.995{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.994{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F7AD26A5D3E47241DC13FCF6BF0BFB,SHA256=33FE59ECE806596133E3476F50CA02FF7CF3ACA9199516DBE964B4481E91E11A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:39.861{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59615-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000105672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.364{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.344{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.323{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.318{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.315{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.311{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.268{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.251{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.246{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.210{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.188{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.176{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.169{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.141{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.129{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.032{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:41.030{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000040784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:42.702{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72821697499C6ED66C0C64239AF6A2D3,SHA256=E5FFD4900977438F859A34D6C5165D530108DA21FDBDBAD9D4D661C01245E4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:42.701{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:42.385{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=208A9CD444F9FCD37C9ACCCDD77E4F64,SHA256=C98773FE1FDD7385B5B355C8D747257F6313612916F0D8AEF7FE84783627B75B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:42.149{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:42.148{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:42.142{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:42.140{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:42.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:42.131{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:42.126{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000040785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:43.925{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DFE09CEB6AD4965F00FE7120A53798,SHA256=E127D74B370E801AED5D59AA0E52D3907D05CEF1DD93AE536E6AF307045918C9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000105693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:18:43.222{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x8000000000000000105692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:18:43.222{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x8000000000000000105691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:18:43.222{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x8000000000000000105690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:18:43.222{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d925c7-0x9c206546) 13241300x8000000000000000105689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:18:43.222{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x8000000000000000105688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:18:43.222{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 12241200x8000000000000000105687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:43.222{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7 12241200x8000000000000000105686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:43.222{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache 12241200x8000000000000000105685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:43.222{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache 11241100x8000000000000000105684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:43.075{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:43.075{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A7991942A19A1109D816C23C6EFB0F,SHA256=8C9E3A3A65FDA12195C8168B5A2CFED71EFDB56F6DBD48FB55D585CA9730E54F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.838{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.837{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.834{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.833{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.814{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.759{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.746{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.731{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.719{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.717{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.713{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.710{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.706{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.705{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.703{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.188{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.187{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.184{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000105695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.153{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:44.153{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9B67F7AE030725A36AF89383ECD7F8,SHA256=CD87C0A39C9221774992940A432B5024ABD76257E25466673DF60B7DC8811AC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.614{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.610{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.608{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.605{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.604{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.599{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.598{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.595{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.593{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.589{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.579{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.575{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.567{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.558{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.547{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.544{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.528{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.519{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.479{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.472{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.463{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.454{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.445{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.439{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.430{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.423{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.415{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.406{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000040786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:44.402{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 11241100x8000000000000000105739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:45.760{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:45.760{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3A1AD3321976123B9CE197B10345A0,SHA256=88C3448E422AB422963BD6D1A6843D8957EAF367B5C1E89C2B92C6FCF99F69C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:45.444{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AECA0D1FBCE3D1F3D6421AE1BA8E44,SHA256=EFCE927EE4B7AFBF7D62A52FA3B4F22D5DE41547D08DCAD9E7B7E991595245D7,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000105737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000105724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.016{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000105723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000105722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000105721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000105720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000105719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000105718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:18:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000105717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000105716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000105715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:45.005{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000105742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:46.874{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:46.874{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BC052EEE632816F09F50235BDF9AD0,SHA256=2F3763A8878ED300019BF97A10A38D93C24C4AF640B41C6A43E0342AF0E4F8D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:45.035{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59616-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:46.526{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFB9B34944D4BE6B7012C1F4D882F3F,SHA256=72D006A68121801370E43917F83F0DB9C74EFEFAE60497EB37151A8D63EE2E90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:47.954{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:47.954{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0A8A773BCE266A96F4FD630165AAD9,SHA256=417A07736B6BCDEBC7001B486A0AA366A4F2E329613E7B4B8D360E869BECEAE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:45.816{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50033-false10.0.1.12-8000- 23542300x800000000000000040817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:47.620{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392DA3E75717BD3C3EA1E2D3AEE69752,SHA256=0DE1A701C4CFC7B77DF6DB4AB80C588A7B8860097D39AFB671AAB1C926AEE901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:48.716{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFD5B6579B6B93C1C2C715ADA275B81,SHA256=0EB7F570139870905E6585F6DA45A735B0CC386B876D2E7FA166042F11157DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:49.813{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77762D34C534FEB5086517791AE2DF67,SHA256=6B7E158C8E6327AB241F6FA09F89376A52FE3E3B0C53CF834C3620F9784EEAC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:49.052{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:49.052{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C2D4CF4CD883A37C52302092279C5E,SHA256=8B5CAC284618F59D3B0B0A7ECB90199CF3EDEE4C9725E97FC8B47D35E2594DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:50.924{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D292F5B50E4834B0EAA9142389C0BF4E,SHA256=CEF0DE06F2C91852EB9812410E23B07057772A94F6F5B61E206E302CEAB62335,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:50.156{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:50.155{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EB34E812B4C89A870EB498647E6A17,SHA256=72C610FCDFA77937331A61F29F772D7AAC09A82DD19B5B67930AA6B8C4678926,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:51.265{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:51.265{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BC3B986ED0770AB49D253E5E66A4C7,SHA256=141696D78EC758A257215AD33BA9F4A5FFE67721DA82E8E9CFF89F6A230BB461,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:52.355{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:52.355{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025D8F9983A4B72CB88AA23BF80CD451,SHA256=967CB5D3B859A5A38B67749B8F559D70816A9C9BF07C3505F7EBB26079B7B6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:52.020{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0F9FAB4F4C57B1F87902DBAECB46E5,SHA256=9BA1EA0412DD5E23CD27B31F99700DC80C506C0C8AB1A1228120046B6E82D50D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:53.452{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:53.452{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F26FB6E9D24C54929023F2FB575F900,SHA256=684B3CDF57F1CB0C55FA89497DA910F37FA223E07581CF5397BEF61A64933741,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:51.770{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50034-false10.0.1.12-8000- 23542300x800000000000000040823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:53.104{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0E7DBBE1499D6836F8718E37DF5FDB,SHA256=3C5DC2BF711AF4EB64564529A056DAA4E248B16950A1978DA55B31615B522271,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:51.008{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59617-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000105757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:54.535{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:54.535{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95B18DEEA447F2EC5A10FEFC5C777D3,SHA256=9958A01D2B6016A683BEA334C9F9CD6AD8DEB2C1FACF16C9E4A83E6511B61143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:54.201{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412D5646D849CD0DFAFCB388FC2DA639,SHA256=BF0509B2AEAA58E9869FEEEB282164E42760C18BC82CF5491565AC025CDF13D6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:55.631{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:55.631{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BC0006024AFC2B18308FAA9E49C28A,SHA256=13F840DCFF8E9D378337E6F2DB43590A73825B566A589A5720CC3A59A9312D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:55.295{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4B78332B4FCC9CF0E0E1DFBC67D1DA,SHA256=DE5E03DE9CE0953AC519A1CC740B46ABE1656247A2F768B84BC352A834F2EB62,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:56.729{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:56.729{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD18FAC59E21F3F3E828591F672F97F5,SHA256=D5A4CC8092BF4FE68A759A3F53EA62800882749099E37228A1FBAA204B4F29C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:56.505{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F48EDAC9B976DF2312B3F8BC3F7102,SHA256=8C266CFF7F1B3C608667C937763093BD4EE50A888AB0BBFC8ED631F39E8BF8E8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000105765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:18:57.982{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475Binary Data 11241100x8000000000000000105764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:57.826{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:57.826{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA081017BA5B5B55EDBAD0BED848C21F,SHA256=91BA561EB678A262C992C7636AC2ACA1776631AFF1C5C06EB76CA10BA9622666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:57.710{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726F338A8D99D4772B8C8368F980A410,SHA256=F202CF45282C73C088B7CD7683760B4FD30C27503F63081B226F321755EA784D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:57.654{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:18:57.654 23542300x800000000000000040830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:58.903{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3880466F4358BA18061C3F7ECA5564D,SHA256=8888506CD8A109727F4636DA4EB8ABFD3D11DF18D492B74FF06AB87469C997A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:57.034{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59618-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:58.013{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1AC1C9DD1D658D5E1EBD85E0C18CCC5E,SHA256=473F8865BFD0EBEE5717601FD45736CE3FFA73CFB2F04B1EC9C9E3DF9253A200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:59.159{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-027MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:59.158{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0272023-01-11 14:18:59.158 11241100x8000000000000000105769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:59.157{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0282023-01-11 14:18:59.157 11241100x8000000000000000105768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:59.032{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:18:59.032{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E409E109A3095B6546452E77B6BAA78,SHA256=2A7C8B32B611E15161E629CBCC848A0D2A0FE5430478375B1E7CD339A1EA4D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:18:57.763{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50035-false10.0.1.12-8000- 23542300x800000000000000040831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:00.013{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF7FB94F36C07351574F02D538AF028,SHA256=AB57BB9C778D8B57CC9043A1B023904B89C35EF4298FD9E85ABA49A358783A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:00.163{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:00.117{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:00.117{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A4711F63293F13CE4AC3FAFFCC21AB,SHA256=710DB283ACEA9436FBD70FBC2BAA6ACDFF15A27A0E75D9A446FB5483CD279893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:01.216{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC7D3007B67BCDFCBE41DAAB81D4F11,SHA256=0350C8C3DB29E6C0A791BD54AF8F1132DAD1EB5DA6AAC32CD0DD1355D7E0D8E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.400{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.374{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.358{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.351{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.347{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.342{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.268{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.238{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.212{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000105786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.207{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.207{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C87C46662F7E4A7B50D529F1908EAD,SHA256=EBB005422DB28058220F973F1808B73CD5C01B28347026167A13F0D0103126C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.182{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.153{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.144{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.125{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x8000000000000000105780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.122{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C15E04C21379513DD5AFE1B008D20413,SHA256=3066CEB5D612F42648875779626FECC673EC299445CD976C8333A8F0A794C790,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.092{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.075{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.060{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:01.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x800000000000000040834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:02.313{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9886AA8C0D3DD138FCC74ECE77631814,SHA256=E8F66DB35A050025B14C285E75BABE349D332DA28E29E2F34921A5F7945162D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.439{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.439{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E390466D683E603A7C416205463216F4,SHA256=1D7A95B1723A21380BCEEA6E78E90FCD97F4A8F4BD2A5BD2D3B7838ADF101441,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.250{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.245{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.238{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.234{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.230{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000105798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.129{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-11 13:51:01.788 23542300x8000000000000000105797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.129{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DA5E7D4DBCE67F9213CDF163DFB3E670,SHA256=3779CE65C9300F7EFD2E1CBE12F33989756D363938BFAB06A8BB889A566CA137,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:03.542{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:03.542{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1E3865DCA379FE7E911CC3CA725A87,SHA256=6008EFBCFF370AFEF24A5B5E6FA01A16FA7C6BAFF3356DEA575AED7943BC8A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:03.398{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD56906D424C5D3AB4A4A8E6818F5305,SHA256=4B87FC3015E9C9A9F5F62BC6BB1B883E406DBE927EE75D0799948C7F1312D55E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.825{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.822{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.819{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.813{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.812{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.809{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.803{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.801{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.799{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.794{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.774{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.766{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.763{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.752{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.735{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.726{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.698{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.684{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.641{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.633{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.610{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.599{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.569{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.553{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.523{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000040840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.487{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 23542300x800000000000000040839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.476{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEE668FBC0E4C909085FA3536533B4C,SHA256=4052B91979C0F5EE576D5E5D946B8028C0C1C9848B8FBF5665D193649E5E2728,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.449{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000040837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.441{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000040836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:04.436{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x8000000000000000105830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.909{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.908{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.908{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.905{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.890{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.877{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.844{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.835{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.823{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.817{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.815{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.812{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.809{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.807{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.805{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000105814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.655{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.655{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B90287C8BDE1433DE236D9C45FF86E,SHA256=BE2D2FA68466C2A01A4D4F3AB87478C33196AC922196F42669E6DFC1D9259A2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.298{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.296{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000105810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:04.295{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 354300x800000000000000040866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:03.778{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50036-false10.0.1.12-8000- 11241100x8000000000000000105833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:05.754{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:05.754{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0278F06B14A26798F7678C27B947F919,SHA256=77C89059DF5AC5ED3F428AE59806370EC9D26D32928AE22202F751B2D9146EF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:02.912{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59619-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:06.885{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801369A69B9C36EF6DF87A842C971635,SHA256=3CCCF31AC5465D4A9C4C1BB02D9824B54381363E2BBCA27179D44461D7D68F67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:06.844{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:06.844{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7254E874B13CE34B34AB83097B157D0C,SHA256=6EF4924D92EE0BE3D33F7705B213B659280843B51FA873C8983E4EC26C92F09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:06.039{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B247F864DEA188CB259D3A350DD92EB,SHA256=B3B719D87B3783D562AE1C9DDA764F21BC3DB39CAEC3B2940BD7D835E329ECFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:07.983{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA9116B64715DE70B2B83F2837555E8,SHA256=B7AB05CCBBE2128C9159A497884340D313D9CAFAABFB40779680441D14AA6A02,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:07.953{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:07.953{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F58341F48469353CEA55CBD6B07F787,SHA256=D0F8197DD6D8D6754BAE9783FF4CE0CBA8FE30193CC9784D47A788A91A23DB52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:07.817{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:08.808{3EE3745C-BE84-63BE-0D00-00000000A802}7883900C:\Windows\system32\svchost.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:09.445{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:09.073{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86BEC949A8A9EE348410DA8B53FE2CD,SHA256=AA12577CABA957CAF3472845D3B27F4D3A9065F0EA47C00E08BFE176B9039B65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:09.048{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:09.047{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF99A68D4B7506F4D8D8ED8F887B1523,SHA256=05ED5C16473C1B09386F589424A5F445CD122C1BE66C1A7B62A0AB853CEC4BCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:09.023{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50037-false10.0.1.12-8089- 23542300x800000000000000040874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:10.163{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F8EAB3145936AA9B03B3031B9E25B6,SHA256=CF0F85905D4E2A6239E6DB2EFBBA6D874A93E2885FD9F00D5FDF080ECA0D4816,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:10.134{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:10.134{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C675F7D5573258D22EDBB59FDDCC64CC,SHA256=71C50FA4F29CD1FD4BDD48696A1FBF18BA78B44993CA53BB22314625F73D7273,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:11.226{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:11.226{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A61B8EEEB0A955D0D28146DE194A31,SHA256=56FE81A92063967A44BA32BF276AC27CF33CE7A8A8584D53BA30E58CAB5A506E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.854{3EE3745C-C55F-63BE-6701-00000000A802}21283812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:09.820{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50038-false10.0.1.12-8000- 10341000x800000000000000040903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C55F-63BE-6701-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C55F-63BE-6701-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.651{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C55F-63BE-6701-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.652{3EE3745C-C55F-63BE-6701-00000000A802}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.349{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E3C4B7348F756781DBF916BBB26ACBA3,SHA256=F1E3BFB5D32DAC700A46BD4E6D4F8F60C6698B4817C619F3EE68BD817F77F808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.277{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A89CA1E1552F3CA8D5A121C3435F46,SHA256=A72A4566D83880274573D534FB43A9D9F6AC3788CC464A7DECF5F763A34A8B2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C55F-63BE-6601-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C55F-63BE-6601-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.027{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C55F-63BE-6601-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:11.028{3EE3745C-C55F-63BE-6601-00000000A802}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000105842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:08.851{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59620-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000105846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:12.322{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:12.322{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD8063EC6F293D34625D7D7DD671AF1,SHA256=64C808DD2D8B0076D79FC3081A4E7E1A0A98172FC12CFF70F22BB95674A63E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.536{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=533FE50458C21B99B0D93A4E70F3AEB6,SHA256=30298881E2475532CDFD12156170D090C33A12B992A3B8E30399CA2FDF8736BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.446{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C560-63BE-6801-00000000A802}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.444{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C560-63BE-6801-00000000A802}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.444{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C560-63BE-6801-00000000A802}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.443{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C560-63BE-6801-00000000A802}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.443{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C560-63BE-6801-00000000A802}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.443{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C560-63BE-6801-00000000A802}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 23542300x800000000000000040920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.400{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E189E3652EB96FF8739E77FF561392B,SHA256=249E4D5FD92D60D67412E5BE9CF6FE7254140BCD2FDEF255C04A8E316E735704,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C560-63BE-6801-00000000A802}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C560-63BE-6801-00000000A802}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.291{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C560-63BE-6801-00000000A802}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.292{3EE3745C-C560-63BE-6801-00000000A802}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:12.103{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87E78A98192FF09099204D60E34DBBFB,SHA256=A97B6FABC5FD41063D71902026643AC79ADA30CF5097D411DA6ACF6E98509ECA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:13.414{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:13.414{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27673B05D1CC29BAE823EACC5C5B9ADD,SHA256=313C96B4587B6CF93B0922B0BA2184FCC63FF3977B73FA656FEFAE7EB52F081A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C561-63BE-6901-00000000A802}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C561-63BE-6901-00000000A802}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.949{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C561-63BE-6901-00000000A802}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.950{3EE3745C-C561-63BE-6901-00000000A802}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:13.574{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CB5C5EA4021842B10A85B34CDAD39A,SHA256=4E344BCCA8D63BF95F96645DCBA0895D59D3C4587D057FE1B106DC25598EB464,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:14.501{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:14.501{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F01517C9ABB8F17274F46909B148861,SHA256=A727257545FC9F725FEED82F36E357EF3A495CF78B57A06ACF5A848407607CB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.810{3EE3745C-C562-63BE-6A01-00000000A802}33922912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.686{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CD8868B3E6302D15ED32E097D355BD,SHA256=040CC1D06943CF401E0C03255A6A9483FFABE90C4E4D361CB8089D8C6CC25FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C562-63BE-6A01-00000000A802}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C562-63BE-6A01-00000000A802}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.623{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C562-63BE-6A01-00000000A802}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.624{3EE3745C-C562-63BE-6A01-00000000A802}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:14.136{3EE3745C-C561-63BE-6901-00000000A802}26682124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.920{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3A045F68FF9934991B41D014D85F73,SHA256=2ACE99B581EDD3AA2AA14BFA73316562970A08FBD15F1776F7193702632A6F39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:15.606{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:15.606{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECBA026F85DD2060A225684572B7055,SHA256=8DEDDB956F18F0E6F6BB332FD1C22F00C9B9B02E165B6ECA168FC9759D16AE90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:13.892{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59621-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000040974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.591{3EE3745C-C563-63BE-6B01-00000000A802}1043880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.427{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C563-63BE-6B01-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.427{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C563-63BE-6B01-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.427{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C563-63BE-6B01-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000040970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C563-63BE-6B01-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C563-63BE-6B01-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.295{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C563-63BE-6B01-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.296{3EE3745C-C563-63BE-6B01-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000105857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:16.723{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:16.723{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9756019B0B6CB689B8DD1CBD93D675D,SHA256=39BA350EA4D6CD0DBCDBCFD2AEF6B97BEC928BA830CCD32FB3343A98CD456D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.980{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A02EB9AC31702CF17BF35626671A8E0,SHA256=525D95CF7963F1CD1AA91371814E5EBD0B4BDD555457D9D6AAD9509F3413C3F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C564-63BE-6C01-00000000A802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE84-63BE-0C00-00000000A802}728872C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C564-63BE-6C01-00000000A802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.510{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C564-63BE-6C01-00000000A802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:16.511{3EE3745C-C564-63BE-6C01-00000000A802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000105855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:16.095{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000105854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:16.094{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:17.808{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:17.808{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01028B22C814473ABDF5314FA5C77C72,SHA256=B73F2A505AC1CE43BD56BBA23ACA34E89FBD22AD1FAB08AEDCBC0495E100522E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:15.883{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59622-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000040990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:17.634{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76FC5A51F2779998AA8EF104CC161B71,SHA256=10AB7BE2A0029EDBD0E815D836F3A869E26AD1E87C2788C89313121A6E89902A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:18.892{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:18.892{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06CF4C03AF6373EAEFF497EBECECA3A,SHA256=5D7E062E4536777C1202930002E7BDCFAA75D377940B54505F7A72DE8130AF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:18.071{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21EF9201C3C6A2C3BCC659DB9471638,SHA256=2DDFFEA0A3E5935CE87F7BF46D9AB3E46AC515D2AFB8F20C89F740203A00364D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:15.794{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50039-false10.0.1.12-8000- 11241100x8000000000000000105864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:19.980{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:19.980{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63FCD89AC7BE94F9C1317442FDA67B0,SHA256=E1421430C3096D8B88DDBFD0A2C10513435B20CAD8E727B0D245B7B6D4DE3790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:19.162{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584CBE0BEED720F87E08A43791F385A6,SHA256=D69EBDCCAA5B54CB1D4E957F9F1512CBCF2C63192F1908FC71E794D42B5F9EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:20.251{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C53B6454DE2458604718317E523315D,SHA256=6B1808E282ED13B58953AA9E2E33B904F373A2545CA2428119F62693D1D407FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.890{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.887{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.876{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.873{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.863{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.856{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.850{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.275{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.253{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.250{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.246{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.244{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.242{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.204{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.197{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.188{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.171{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.156{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.141{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.132{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.120{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.107{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.084{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.074{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000105868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.065{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.064{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7ED44578286066EFE2CAC3F2CD858C0,SHA256=655E1DA032B6411D260167B3291C377B4A25C14A682B67D401AE3BB0EABACB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:21.342{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F738C6041547FB6A8CE1B0AEE7A3F878,SHA256=C58C08FFCFA630515983F63EB77E6C6DDC5BF5CB3333D17EEDAAEB22D6996FD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:21.009{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x8000000000000000105895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:19.910{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59623-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000105894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:22.197{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:22.197{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5577644AD0C63EC8A8BC6A849E634E9,SHA256=D27A550F03AC07D98984F83CF8A7AF178645676B433B0B8C628F44B79CFBF538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:22.549{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D8C4CF4B72A84BD24923E19B505A32,SHA256=5A970FD71D6B8F9BD3154155E3E2E3327B1271EFA1A644FECE94134AB9505483,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:21.797{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50040-false10.0.1.12-8000- 23542300x800000000000000040997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:23.629{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C348EAC56DF5D3F16C035DE350C84F,SHA256=CEE4969C5DD1A2EEBCB3A229C20B23EE4AA682A6A140D01C44132B90E83D4278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:23.934{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:23.932{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:23.930{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000105897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:23.323{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:23.323{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69ADC3DAEEC68F179706C8205F9A5EC3,SHA256=96DA9CCCD81C4E508EA176BFDFEDD250E1A2F6785343E74CB2212D4E83F44F23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.603{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.602{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.601{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.599{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.574{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.557{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.509{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.496{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.483{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.476{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.473{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.464{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.460{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.454{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.453{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000105903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.450{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000105902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.417{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:24.417{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D110CCDF41E13B857325176A57E9F076,SHA256=AA86E2389EBBECFB302B6D1662F637F6A401F73B0B00443EFB1E1405B9D83C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.616{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.613{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.611{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.608{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.606{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.603{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.603{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.602{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.600{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.596{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.589{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.585{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.583{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.577{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.561{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.546{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.526{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.515{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.491{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.484{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.475{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.466{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.454{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.445{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.436{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.426{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.419{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.412{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000040999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:24.408{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 11241100x8000000000000000105920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:25.497{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:25.497{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0AA88D77F3BD55CDCB793699101418,SHA256=4D83D3AA932EAEC568DA6AD14F89F1B6BCF6D458BBFBDE5771013CCCADF4AE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:25.368{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B42DDFD1737CD28F2DC9A1314643095,SHA256=50F9B3655387868E5141565F1829020C9B3C43C33A0EFB1F049C7D758DCC595B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:26.617{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:26.617{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091A1604309251EE3DE322D316431740,SHA256=7440B2AACE3E945998ECB1B26086662639ED035BA46BCD935A044F6569D6F4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:26.467{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E5722F547A50C0821BDF5A6D057C54,SHA256=E6E72238D5621B3549F059771072D7E266CF8F7D407026690966CD8249C2CEE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:27.576{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BDE593CCE1A3267560602C60514B5F,SHA256=EBE2675B3D031944718A97C98E66B8DD419EC886BF1CDB2D2B3D48C2D2B216AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:27.704{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:27.704{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A2BEEE014C641AE35776746906F8D0,SHA256=B445CA28571169CC430EAA408DE66C951F21DCD3BCA5C459309A8104EB3D5E2B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:27.657{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:19:27.657 354300x8000000000000000105923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:25.885{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59624-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:28.899{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C68B3B6CD45C7CE9374A9B7508CB136,SHA256=18C1ED9F922BA649B164996993D74357ACCD9D3DB5E1DE3DA43B748F84C52161,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:28.795{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:28.795{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6521AF668FEF02C180CA6A1B09EAADE,SHA256=730A8EEBB9E9BAACCE3BD8DD154C69E53AB375F9F47CF08172871CA1359ABFD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:26.810{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50041-false10.0.1.12-8000- 12241200x8000000000000000105983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:29.972{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000105982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:29.972{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000041033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:29.988{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A393E6091B36F66E65C50DEAF367BF3,SHA256=57CEC32132AD430CE955A710F869B32884A9A4BD66B5C14C034C511D018994DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.785{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000105980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.785{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=832C5B44505C364A143C4F730951C94F,SHA256=27DEDF3326D3400C2ABBEAAC5F56FCE0D7D294375578FD1544A4F57755C38D29,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000105979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.560{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000105978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.545{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000105977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.545{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000105976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.217{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000105975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.217{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000105974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.201{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000105973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.201{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000105972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.201{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000105971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.201{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000105970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.201{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000105969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.201{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000105968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.201{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000105967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.201{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000105966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000105965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000105964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000105963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000105962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000105960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000105959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000105958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000105957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000105956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000105955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000105954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000105953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000105952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000105951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000105950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000105949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000105948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000105947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000105946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000105945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000105944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000105943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000105942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000105941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000105940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000105938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x8000000000000000105937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000105934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000105931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.185{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.186{7DAC9CB3-C571-63BE-C901-00000000A702}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000106038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.940{7DAC9CB3-C572-63BE-CA01-00000000A702}38166996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.940{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.940{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000106035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.754{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.752{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.751{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.746{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.741{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.739{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.739{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.738{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.736{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000106026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.717{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.717{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.717{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.717{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.717{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.717{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.716{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.716{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.716{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.716{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.715{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.713{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.713{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.706{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.706{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000106011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.706{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.704{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.704{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.704{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.702{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.702{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.702{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.702{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.701{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.699{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.699{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.699{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000105999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.697{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000105998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.696{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000105997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.696{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000105996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.694{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000105995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.694{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000105994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.693{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.693{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.693{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.692{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000105990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.692{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.692{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000105988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.692{7DAC9CB3-C572-63BE-CA01-00000000A702}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000105987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.331{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000105986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.331{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E80BEDA18D054861C9964FAB298069C4,SHA256=D5A9F565E1748028D712826F7493306DF0E56E627A183C4F2023EE6FB942D2E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.082{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000105984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.082{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D153408C49C9CA1454767F0433C6FF,SHA256=A6A9C6F44B8093195BABB326962E4B6930F769013CF01F58BD9634E26A2116F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.778{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59625-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000106097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:29.778{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59625-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 734700x8000000000000000106096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.581{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 11241100x8000000000000000106095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.581{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.581{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9846F570EB9DC3311FF5DB1DF2BB85A3,SHA256=A856322018A67025634DEE759DA2E06F5345F905D0576453C7187599D91DCE5A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.581{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.581{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000106091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.472{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=828F7508E7EFBFFD62E4709BA0628842,SHA256=510AD97D6049FEE4929908546EE0CC021331CF0708F091517C3526F6DA7405DD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.394{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.378{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.378{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.378{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.378{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.378{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.378{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.378{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000106081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000106058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000106056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000106055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000106054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000106053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000106050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000106045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.362{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:31.363{7DAC9CB3-C573-63BE-CB01-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:31.187{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D288693A9070E444A229479CE5326A,SHA256=462C1D91E96A9947D96D5FAFAD416A953C44FB323328407CD5AE5955445F4C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:30.934{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59626-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:32.272{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4516661FE9937C139D50D8055920456D,SHA256=87EBCDA95504130A780D67FE0C9666F6AA315ECCF80FDECA60D0F44CAA15CD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:33.367{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CB97FD309447DC9E13E9BA0F4AA67E,SHA256=328D84C4124E381F5BD14A833F3D5DA427D61A81C8C68D5CEB362D5310DC2F63,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.575{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000106151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.575{7DAC9CB3-C575-63BE-CC01-00000000A702}48285996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.575{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.575{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000106148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.294{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.294{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.280{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.280{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.280{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.280{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.280{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.280{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000106113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.264{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000106104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.262{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.262{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.262{7DAC9CB3-C575-63BE-CC01-00000000A702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000106101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.014{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:33.014{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B73882CD3EA2A29755FA70AF72613B0,SHA256=61B0E8256CDFAD217B9B629EFC603DA7059185135E4F7CD3EEAB573919CEC3C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:32.757{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50042-false10.0.1.12-8000- 23542300x800000000000000041037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:34.450{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BA117681CCE49FBFAC874F604C8C75,SHA256=6CBA556320F85C5842F1AE803E90FB485488EC02B7954FA1FDD4C6A5497E71F1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.977{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000106264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.977{7DAC9CB3-C576-63BE-CE01-00000000A702}66925776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.962{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.962{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000106261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.962{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.962{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F910C28C09363ABE34E0E607E20CEE1,SHA256=57C53D6D3D7D8814E09DAA1F697FA0C0CC61F81276630A1746EC05BB1AA4A646,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.818{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.818{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.818{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.818{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.818{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.818{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000106253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.740{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.740{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.740{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.740{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.740{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.740{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.740{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.725{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000106219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000106217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000106212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.709{7DAC9CB3-C576-63BE-CE01-00000000A702}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000106205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.240{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000106204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.240{7DAC9CB3-C576-63BE-CD01-00000000A702}68326924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.240{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.240{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000106201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.117{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.117{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A1EBF45010E44C6382EA8A8742091B,SHA256=E39C627A7249B8E7F76F68BDE8561535D046767E3ACEEE0286C02147FED80CA2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.053{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.053{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.053{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.053{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.053{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.053{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.053{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.053{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000106164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000106159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.037{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:34.038{7DAC9CB3-C576-63BE-CD01-00000000A702}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:35.541{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAA947E5A708BE50902526277D7D9F6,SHA256=EA1AA25DDFB9FF67BE5639F490DF46C58881C4C951EFE0D3C066DEFFB65F57D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:35.806{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000106268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:35.806{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EEB03DCEDF80F27043AB4202789CA70,SHA256=4805DC82AACECD0E4970147E2CE4834C0C91863FC2E6159B9FA0E08F3D6C8E0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:35.180{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:35.180{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFB2493AFA34BAD7BB154BFDF65D793,SHA256=894F429D7C96DBF49EC594DF11B38ADE78394DDC1DA0AE110AB7A31746CC4D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:36.639{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2B3D6DC01BC6BACB3EADCB9188D80E,SHA256=ECC9F099EFC14175C4BB1B2A63CFC6ACAE5C38176A88F378BFCD7F35487BC6A5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.728{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000106321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.728{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.728{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000106319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.556{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.556{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.556{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.556{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.556{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.556{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.556{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000106304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000106287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000106283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000106278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.540{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.541{7DAC9CB3-C578-63BE-CF01-00000000A702}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000106271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.304{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.304{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00A390E4D6DB39892CD2953B41EEFF9,SHA256=52F0AB672B4CAFDDA5D4D98A8F94FBC21259948173A3A0227B20E50709E3BD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:37.739{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722D1FE7620D906B17EE7E67A05AA28E,SHA256=D9A5883616DDAED1D6C452A27389294DE39BE8F240744966C3AE022266A696B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:36.031{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59627-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x8000000000000000106325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:37.561{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c7-0xbc83dab9) 11241100x8000000000000000106324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:37.452{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:37.452{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DE018DDBC3F9F865732C52750419E1,SHA256=4FF1927A1EC587C63AC17E1C831E8F8124E4FFDF8154A91AAAAC7B4803435A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:38.840{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432ED1A150C16F153EB7406450B657D3,SHA256=64C8A69ED6F1FA94CD1E108E0AB76A4C2B1F329A83B418B42C2187BCF247BE45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:38.490{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:38.490{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F67DBCCDC5AF0F6668F863366B1AA9,SHA256=EB133C55750BE5E08684F74FCD22217C86584D45CBA4FC1741F087BFF266C11C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:39.596{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:39.596{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BE1A60A0315712018C9E88AEDF8413,SHA256=8303DBA4D6AC53EEAD905B5DE14526BC9C8990A5741ABA681710DD7795941395,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:37.847{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50043-false10.0.1.12-8000- 13241300x8000000000000000106344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000106343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001b3e1f) 12241200x8000000000000000106342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x8000000000000000106341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925bf-0x5c729702) 13241300x8000000000000000106340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c7-0xbe36ff02) 13241300x8000000000000000106339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925d0-0x1ffb6702) 13241300x8000000000000000106338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000106337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001b3e1f) 12241200x8000000000000000106336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x8000000000000000106335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925bf-0x5c729702) 13241300x8000000000000000106334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c7-0xbe36ff02) 13241300x8000000000000000106333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:19:40.863{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925d0-0x1ffb6702) 11241100x8000000000000000106332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:40.707{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:40.707{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B807DE227475CBB96534D67EC92EA16,SHA256=708E1FA3AEBEE88F7B4136E90B9E68DAAACC21BD4C99C6F7873406A08EF2A5EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:40.030{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB82CB4AEB2AE7F6566A1EED870D25E,SHA256=355631D9F46F034890C062A872EADA86D9FA5D279D32F8F75ABAC5B5636AD89D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.965{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.962{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.957{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.953{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.943{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.941{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.937{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 23542300x800000000000000041045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:41.126{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB058A83E405EF605664DD10F7C7FA70,SHA256=F7EDC8BAB290D3948EED3A0C027AD290A7A4C449B2D8BD6D6B9B7277BD3263F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.431{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.418{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.410{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.406{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.404{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.402{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.370{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.358{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.353{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.321{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.295{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.274{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.251{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.226{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.198{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.169{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.141{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.013{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.007{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 23542300x800000000000000041047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:42.705{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A668B888FB6068C9B2E4A240ADB807E1,SHA256=5B962BE9D728F7A180D5411F4F26CAC0ACF74FD6A16B74CB33A83A3C58C4EA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:42.219{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAF688C58FDA851B7398906B993E2AB,SHA256=B962F57F77C2EF771BB4E99E4575CA060C38C43320CF0AF2E5F985E40EC332B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:42.016{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:42.016{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4920F67BCBA3A80E732BA754300C56,SHA256=DD97A9DFB98EAB68FD445B35DFA816B47A6E11DC1EF7FB0D4B35FA62297C3FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:43.310{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84FBB0D3528B40069AE9EAB9005D01C,SHA256=49C863D7221751EBB1A8D13FC506B99E02018AB07EBA281EC967131DBC321751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:43.221{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-028MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:41.978{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59628-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000106374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:43.044{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:43.044{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E431E3A13FFF06BEA3DDF1F96F5FBDAA,SHA256=1CAB97CE44C6B615F71D141D51002753352E8AADEE20AC3D56DCB154B4D36CA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.606{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.602{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.600{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.598{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.597{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.595{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.594{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.593{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.590{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.587{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.580{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.576{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.573{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.561{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.551{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.548{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.532{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.521{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.497{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.486{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.479{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.468{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.451{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.444{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.434{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.427{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.418{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.412{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000041052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.409{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x800000000000000041051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.289{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B038292F5231A2E0615D9B20FBB62390,SHA256=CE435752A2337C862B35FA4B156B617EDD766229B591B1945044BC4FDA832BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:44.231{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.702{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.701{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.700{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.695{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.673{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.652{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.588{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.577{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.565{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.554{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.552{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.547{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.544{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.541{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.540{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.537{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 11241100x8000000000000000106380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.239{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.239{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9591578560B7990F7B4806CCAA1BA7,SHA256=6A08A5598A5E8D5F78EEE48DCEA1C8C902F47C5DE2015D72655E8A0B190F0FD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.028{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.027{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:44.025{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 354300x800000000000000041082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:43.823{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50044-false10.0.1.12-8000- 23542300x800000000000000041081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:45.634{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13DE483C817F26744F8AE336133B1ED,SHA256=D1A45BB99374FC54AAC9CE1B4B94D4BF23517D06160EE586E503A20CB5BCCA9F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.383{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.383{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2E82B5E3AAF7C45B3747092FF6E9DB,SHA256=CFFF31CAD61141A0113C2DB7115DE3C68D15ACFAA34851567CC2FEAC8C901158,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000106427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000106420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.023{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.023{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.023{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000106417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.021{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.021{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.021{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.021{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.021{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000106405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000106404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000106403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000106402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000106401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000106400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:19:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000106399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000106398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000106397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:45.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:46.794{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BE92A7FB51813F0CDD16059F73C9EE,SHA256=AB14DB04B87865390F06F422564A7B5E00DD1CA81BEC9B9DFA56656297CB53F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:46.496{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:46.496{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694D190BC000E15F8F2E6D8130C15FCF,SHA256=4D202B03AF370EC4DD14E6FDAC0B164F36EBB43AAB4A30D1052916B704CF8AF9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:47.579{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:47.579{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1FA4CEAAC151650D1A6ACDC67165D9,SHA256=64646045469416262E9C4920C90C8C6F6B886FD4127C2E29B8ABABFAA019FDFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:48.661{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:48.661{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007E1079D943BC2DF83FF5BC9F190ED7,SHA256=3AC67C4137C407615E937E7885F46576F2551A7BE2FD040518F2F225A598765A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:48.099{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261F73B969B550B4497C3BD211E9E359,SHA256=4FDE9990F1137B1612CC845929BFD3B204B82B8CA0B7CB158C296D40C3A176F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:49.741{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:49.741{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C43D0D68F51B3CEEF2088D9370A7DB,SHA256=BFFDA0B0D8DD03FFB21DDF3BAD908479F3570AD819C78EAF836E1FED90A5EDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:49.209{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17657255B041B24A87E9647E70A0B38,SHA256=1D7CD058886176B3A1FB4AC7E9892CA3EF2862D5BD0636628600E703E99E43E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:50.838{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:50.838{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD4B1323DF99A8DAB2F904659DEFD65,SHA256=038BC6745E32FF8BBB297E2E83E747DDD0568DDA2FABF180DF4BCE5F5D795085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:50.416{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB6E7CB06A0037C7ECC0151C13B17E5,SHA256=C452DB3292051B3FFCE0666BEABA257E97476F22223885CBEAA274AC2C6F4E26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:47.960{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59629-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000106442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:51.931{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:51.931{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAAB43D1742717429BA1CED8F3F72B2,SHA256=00CF42E11C860CC451A328F821E3E5808670AA10488AA9DD6A2627B3BA915C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:51.501{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4D2A7194B8482BAE91C017D11A2A36,SHA256=90F28A3D8009FE8C6B2F8B3591FC77A0C3E92EF8EE06D84FC6A5444615F7B237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:52.590{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8345CFB0685808B7FA5C791AC622FFB,SHA256=22D64AF8112FD21C80B11245BC1931670F8DB183CCE7207F09A17CF06591B504,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:49.710{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50045-false10.0.1.12-8000- 23542300x800000000000000041090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:53.682{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1B35B8CBCBA88B8B84A503C07D5E55,SHA256=973C29048EA957706F71F4C96CAE78C25EFABB2C26F194E2CE24E82734C0F8D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:53.032{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:53.032{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89757DE24651F046237671640823542,SHA256=E8414A44BA2D6E5A028DF56D218AB95B98CFDAE92F183E0A357CABAEFA429711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:54.881{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BF00FCC81888BC42213799C25D0DC4,SHA256=CE917D887F9B6F62F72054F4F778A5EDA6CCF7E67F01C534012CFF5F17AADBA5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:54.131{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:54.131{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B2A74BC210DBADA2AB013271324E6D,SHA256=77B2BCEF4F696F8D58BBAA2ACF7B889E1141AAB6CAB643418F7A60BAF123D8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:55.979{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A084988160BFD9E3070087BCF2DB36,SHA256=92EFBAC715B8B46546B806F6F5A2E779B05A46D2FB9A8B3E5D83B982BB9924D0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:55.335{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:55.335{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F88A82235547628ECB2823E28F8E57,SHA256=819D8B066456E4E495D06ABFB42CA486F2F72F8DDD4F5A7F7A72E3891D006E10,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:56.429{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:56.429{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164DC8F4EA42EEDDE318EF07E2BC8C3C,SHA256=F7902CC8E3D4E4F041950AF31AA37F6A9405C4D3D81E2E0B819613DB19A8DCB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:53.841{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59630-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000106454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:57.659{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:19:57.659 11241100x8000000000000000106453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:57.518{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:57.518{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6876CBC50D918A78BCD1E6D5B23C7B,SHA256=9217F6B83D8AB288B6ACF0A8FD91C24C0684380BD2EE96AF4619C26FEAA45CBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:55.663{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50046-false10.0.1.12-8000- 23542300x800000000000000041093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:57.067{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D90D040237CD9BF50319BFD9C99C99E,SHA256=797755EBFA459C192F72C794E14CAAB3F63E0E62869961282B3616F88455454F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:58.613{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:58.613{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61B3FCEC19161F4EABA96807FEA49DF,SHA256=21954E97176AC8BDCF997F181474A3031ED9400535CA02321B694E6CDEB6E6B1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000041111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.412{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c7-0xc8f173ac) 10341000x800000000000000041110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:58.193{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:58.193{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000041108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000041107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000041106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\AddressTypeDWORD (0x00000000) 13241300x800000000000000041105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\LeaseTerminatesTimeDWORD (0x63bed39e) 13241300x800000000000000041104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\T2DWORD (0x63bed1dc) 13241300x800000000000000041103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\T1DWORD (0x63becc96) 13241300x800000000000000041102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\LeaseObtainedTimeDWORD (0x63bec58e) 13241300x800000000000000041101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\LeaseDWORD (0x00000e10) 13241300x800000000000000041100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\DhcpServer10.0.1.1 13241300x800000000000000041099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\DhcpSubnetMask255.255.255.0 13241300x800000000000000041098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\DhcpIPAddress10.0.1.15 13241300x800000000000000041097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:19:58.193{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{136b9c72-9c57-4344-818a-f520612e8eca}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000041096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:58.162{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52D43C752B528DE1B90B61360F8055A,SHA256=241D34465ACFE2FF4D5877BC11BE10B2461E012FD5DE1C132A1A1E7BCE4AD6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:58.021{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CDF3AAE39C5F569720804DB9398508DF,SHA256=9C69498E01131CA1D17E5E2B51D5D3FE257100FB4B71CC92012E001FC6604993,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:59.699{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:59.699{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1029533C2615478B25BF516BC0C5E3F,SHA256=606F20F3C5F9C87B9320E6ADE301C0009864E686CDA9376D046B3A96CD9443D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:59.460{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8F7E5580FEB5E89547EE21F4BD565B,SHA256=686AF4FC5FEC854025C6CD0E668AA98292A1F86FB90FA8195BCA894223A0581B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:00.998{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 11241100x8000000000000000106463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:00.791{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:00.791{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0ED642F8A771EDE3E901A8637A83B4,SHA256=2D685AB5E714E42E14364D20C390DC4B8CB2F8E82626B5B6EEF7B54D8E2AB825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:00.701{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-028MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:00.579{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC12C24396CB3ACBE0D4CD463AC13261,SHA256=A323BE0BA8BF009D00FF9CEB6D65436D93B6A4937A7512749C5C6FE0CE9DE7BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:00.699{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0282023-01-11 14:20:00.699 11241100x8000000000000000106459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:00.698{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0292023-01-11 14:20:00.698 354300x800000000000000041116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:57.989{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 354300x800000000000000041115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:57.800{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9800:e6b4:fac:ffff-53788-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000041114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:57.800{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:3965:a991:8a3a:ca3ewin-host-ctus-attack-range-780.us-east-2.compute.internal53788-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000041113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:57.786{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 10341000x8000000000000000106511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.992{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 12241200x8000000000000000106510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:01.991{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000106509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:01.988{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000106508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:01.987{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NetBT 12241200x8000000000000000106507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:01.987{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NetBT 13241300x8000000000000000106506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.987{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000106505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.987{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000106504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.987{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000106503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.987{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\LeaseTerminatesTimeDWORD (0x63bed3a1) 13241300x8000000000000000106502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.986{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\T2DWORD (0x63bed1df) 13241300x8000000000000000106501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.986{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\T1DWORD (0x63becc99) 13241300x8000000000000000106500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.986{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\LeaseObtainedTimeDWORD (0x63bec591) 13241300x8000000000000000106499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.986{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\LeaseDWORD (0x00000e10) 13241300x8000000000000000106498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.986{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\DhcpServer10.0.1.1 13241300x8000000000000000106497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.986{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000106496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.986{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\DhcpIPAddress10.0.1.14 13241300x8000000000000000106495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:01.986{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{93f56272-c16e-4085-bf38-3bae93c3310e}\DhcpInterfaceOptionsBinary Data 10341000x8000000000000000106494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.980{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.973{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.960{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.956{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.950{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 11241100x8000000000000000106489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.838{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.838{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AEC82A7690E5DAAD29DCAB963A8AF24,SHA256=53DE892D45673CA9FA22D0F601D2E2E621EEFF6F069D6DBBAF7619182DE40E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:01.674{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6F81C62053AD054EA32D23ACB7745E,SHA256=A1180D047F725A3CA873E19AF4D7690F5AD1F2FC0F1169CB3523BBBC41603459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.699{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:00.011{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local51096-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000106485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:00.011{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52557- 354300x8000000000000000106484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:19:59.879{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59631-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000106483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.392{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6FD39ED9E4FAE5DB29F8569952AAC391,SHA256=E9EE897E841B25DE6C5015F0513306CAE14EDD2E62C453071B8AFDECB167C83D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.260{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.246{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.230{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.226{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.224{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.215{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.178{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.168{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.160{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.144{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.124{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.113{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.105{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.094{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.078{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.066{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.050{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 23542300x800000000000000041120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:02.778{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFDDC101010E92261037562597AA729,SHA256=9EF90760F760A30E94891B93E2422876198147EA76FCAC27875185EB7FCC1480,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000106562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{93F56272-C16E-4085-BF38-3BAE93C3310E}Binary Data 12241200x8000000000000000106561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal 12241200x8000000000000000106560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x8000000000000000106559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 10341000x8000000000000000106558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.992{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000106557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{93F56272-C16E-4085-BF38-3BAE93C3310E}Binary Data 12241200x8000000000000000106556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal 12241200x8000000000000000106555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x8000000000000000106554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x8000000000000000106553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{93F56272-C16E-4085-BF38-3BAE93C3310E}Binary Data 12241200x8000000000000000106552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal 12241200x8000000000000000106551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x8000000000000000106550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 10341000x8000000000000000106549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.992{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000106548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{93F56272-C16E-4085-BF38-3BAE93C3310E}Binary Data 12241200x8000000000000000106547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal 12241200x8000000000000000106546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x8000000000000000106545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x8000000000000000106544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{93F56272-C16E-4085-BF38-3BAE93C3310E}Binary Data 12241200x8000000000000000106543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal 12241200x8000000000000000106542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x8000000000000000106541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x8000000000000000106540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal\{93F56272-C16E-4085-BF38-3BAE93C3310E}Binary Data 12241200x8000000000000000106539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-east-2.compute.internal 12241200x8000000000000000106538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x8000000000000000106537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 12241200x8000000000000000106536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000106535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.992{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x8000000000000000106534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.914{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000106533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.914{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9C473E6724F587A60D92CDBC73731B7A,SHA256=0E6F068E5586552BBDCDB3260FE447F5AF1C5EEBB3DB2A4DA3A4658D030214B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.352{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE84-63BE-0100-00000000A702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97e62|C:\Windows\system32\kerberos.DLL+79f68|C:\Windows\system32\kerberos.DLL+1451f|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000106531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}13006600C:\Windows\System32\svchost.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}13006600C:\Windows\System32\svchost.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000106529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000106516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000106515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.177{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 11241100x8000000000000000106514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.132{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-11 13:50:01.763 23542300x8000000000000000106513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.132{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=508431F92F6595A734B7FE90A76108B5,SHA256=CC6C626D0FF6CF4D452546D885806B9694298B487BBAD337481A586E71078508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 354300x800000000000000041119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:19:59.776{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9800:e6b4:fac:ffff-52557-truea00:10e:0:0:0:0:0:0-53domain 23542300x800000000000000041122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:03.865{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F92DAA020AA7B97DA49464115B3F70B,SHA256=5BF42BBCDC9FC62C8E4A9C3F60E01C94176D04FD6A82E0FF2C3523A6843146B6,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000106577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:03.995{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000106576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:03.995{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x8000000000000000106575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:03.995{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\RegisteredSinceBootDWORD (0x00000001) 12241200x8000000000000000106574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:03.995{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000106573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:03.995{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000106572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.883{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.882{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.881{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 354300x8000000000000000106569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.158{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59632-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local445microsoft-ds 354300x8000000000000000106568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:02.158{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59632-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local445microsoft-ds 354300x8000000000000000106567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:01.789{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 11241100x8000000000000000106566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.396{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000106565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.396{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0B7434CACE233CB6DC255C50F4ED742,SHA256=5B3C895A7E8D98B89448D762AF8A35CAF6FE9549673794278ABF3821D9D40A0E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.350{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.350{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4251025468C19E487B53A68876DE2AF,SHA256=FB49B18893166B02D0FF7C00AB8F4CE9BCF5304C24D34B0490B8F0ADB6B12E95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:00.757{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50047-false10.0.1.12-8000- 23542300x800000000000000041152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.951{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06208C59BE4311136ADC7C663702337,SHA256=ED8370C6AC1F47AF1AF663D94CF14FFB4125946AE5B75913A1938B1B1F9AD076,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.907{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.903{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.898{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.896{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.895{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.886{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.885{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.878{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.874{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.869{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x8000000000000000106613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.566{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.565{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.565{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.563{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.544{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.524{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 11241100x8000000000000000106607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.486{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.486{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC2343F22FEC825448029F2188DCC9D,SHA256=0251A072D65FCD3AAB622CD1BB75751C6FFB84BD5A8EB32DCA1DD34C3F506027,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.461{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.447{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.434{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.424{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.420{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.415{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.409{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.406{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.405{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x8000000000000000106596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:04.402{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405992C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039A50) 10341000x800000000000000041141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.849{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.842{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.833{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.819{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.803{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.796{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.765{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.733{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.678{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.655{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.630{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.606{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.579{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.557{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.540{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.514{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.497{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.462{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:04.444{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 12241200x8000000000000000106595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:04.011{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x8000000000000000106594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000106593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000106592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000106591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\FlagsDWORD (0x00000002) 13241300x8000000000000000106590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\TtlDWORD (0x000004b0) 13241300x8000000000000000106589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\SentPriUpdateToIpBinary Data 13241300x8000000000000000106588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\SentUpdateToIpBinary Data 13241300x8000000000000000106587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\DnsServersBinary Data 13241300x8000000000000000106586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\HostAddrsBinary Data 13241300x8000000000000000106585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\PrimaryDomainNameattackrange.local 13241300x8000000000000000106584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\AdapterDomainName(Empty) 13241300x8000000000000000106583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E}\Hostnamewin-dc-ctus-attack-range-661 12241200x8000000000000000106582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:04.011{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{93F56272-C16E-4085-BF38-3BAE93C3310E} 12241200x8000000000000000106581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:04.011{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000106580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:03.995{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000106579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:03.995{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000106578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.995{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97e62|C:\Windows\system32\kerberos.DLL+79f68|C:\Windows\system32\kerberos.DLL+1451f|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+32ce5|C:\Windows\system32\lsasrv.dll+30b6b|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000041153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:05.955{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1C691B44F85032956D49DEC675BD42,SHA256=F54860F3D8C3F4E777687D1749E3FF3AFD24A459B8AF11D0173B194D5079D07E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.820{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local49532- 354300x8000000000000000106632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.820{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local57702-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domain 354300x8000000000000000106631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.820{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local57702- 354300x8000000000000000106630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.820{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:28d1:2354:dc4:ffff-57702-truea00:10e:0:0:0:0:0:0win-dc-ctus-attack-range-661.attackrange.local53domain 354300x8000000000000000106629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.819{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local57353- 354300x8000000000000000106628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.818{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local64176- 354300x8000000000000000106627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.818{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local64176-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domain 354300x8000000000000000106626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.818{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59106- 354300x8000000000000000106625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.809{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52030-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000106624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.808{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52030-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000106623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.807{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local57263- 354300x8000000000000000106622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.806{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52029-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domain 354300x8000000000000000106621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.806{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52029-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domain 354300x8000000000000000106620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.804{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local60868- 354300x8000000000000000106619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.803{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local60868-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domain 354300x8000000000000000106618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.803{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local62304- 354300x8000000000000000106617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.279{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local61511- 354300x8000000000000000106616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:03.279{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local61511-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domain 11241100x8000000000000000106615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:05.564{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:05.564{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C69062B313F6D497B9E8A721197041,SHA256=EE35BA4AACF220625B4682C7A3016F29BA5C7D067484C554CABADCAE785ED19D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.747{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.747{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5909A43459477B7122F8E39B74EB974F,SHA256=317B98D2F6CB181D080F3EDC837E77FDE1B69F0DFF739CB1D29A2BEE8A8B82CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:06.019{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000106671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:07.773{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:07.773{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEE43B99E8D1AFCE6FE11D5C2348471,SHA256=E416E5968C63EEE5015A0D10D6D21D5E4BE41973ED124D2393C843574DB8E9D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:07.831{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:07.831{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:07.831{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:07.816{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:07.068{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BA529076F0904311C4D54963D7979F,SHA256=80BEF11786A190650B75C639440B396A506DF797AEA053F3E9EDCFE006AF505E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:05.839{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52031-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000106673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:08.966{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:08.966{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014EE6B2E87566B01E56D56049DC8BA9,SHA256=00F67635F70F27B72CCFF84AC3F36ACE1FE90AA4E9ACF174E877BD55B9365084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:08.142{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613DB0310BA656E8051E5FFFC9400D67,SHA256=89E62E86A989245253F031EEC5245FF3196339EEEB819CFAECAFD752D25870B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:06.723{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50048-false10.0.1.12-8000- 23542300x800000000000000041161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:09.473{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:09.240{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB04D39DB84DEDE6B38C2807ED083AD8,SHA256=BF29087CE624138EBBCDCCDDD799F764DACF5D811F3CF541B35C53BFFE3F270E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:10.318{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B09BC63ED42370E383C7ACF0569FB5,SHA256=D9A7DF35D7EE1153F3D56ECC89A99AD9C1CC5DE951151DF2E216428AC9E79C11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:10.057{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:10.057{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01388B31E76749C796C0FF450C3F622,SHA256=1D3F79825EE165EF492AF40C6E7A04B870D132DFB022B9C753022C4845E1AB36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.877{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C59B-63BE-6E01-00000000A802}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.877{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C59B-63BE-6E01-00000000A802}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.877{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C59B-63BE-6E01-00000000A802}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 23542300x800000000000000041194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.855{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=07567F10377BDA32D1394853532030E3,SHA256=0492262405DCCA5720CFA5DA3DD29FB2D8435C1E3957F2D117739DD5B59E0817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.845{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=64720DFC03E13D1F41DA03EB6843AB4F,SHA256=13E56C313C2A55253DBB1315469143E5F9E578D792D95B56BF56ECE61D7D5769,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C59B-63BE-6E01-00000000A802}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C59B-63BE-6E01-00000000A802}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.665{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C59B-63BE-6E01-00000000A802}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.667{3EE3745C-C59B-63BE-6E01-00000000A802}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:09.050{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50049-false10.0.1.12-8089- 23542300x800000000000000041178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.415{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A48C6703A98955F1A3AF297150B73A9,SHA256=69D754CE1A262957557E01C538EADD8DDFFDDC01EE0E87F6097ADB1D979B1F56,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:11.154{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:11.154{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5C9D31FCD8AA8DD0C8378D0189B326,SHA256=3083F4719167AFA29B9A3299962401B557877D5D5D76AF6C766696666725C89B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.259{3EE3745C-C59B-63BE-6D01-00000000A802}37603952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C59B-63BE-6D01-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C59B-63BE-6D01-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C59B-63BE-6D01-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:11.025{3EE3745C-C59B-63BE-6D01-00000000A802}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.525{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7320AD8891843CC6BB98AD1894FDC0E9,SHA256=1F5274E6A59557D655766AE4B5F33D409179B27375AA24C50CA754A879F7C93C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:11.037{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52032-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000106679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:12.233{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:12.233{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1308C65E022E6970906E630B00162C3,SHA256=CDB38C0F6FA288EA0F1B4CDC381D73434E3EF3C05E77E3C81FF293089325BC4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C59C-63BE-6F01-00000000A802}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C59C-63BE-6F01-00000000A802}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.165{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C59C-63BE-6F01-00000000A802}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.166{3EE3745C-C59C-63BE-6F01-00000000A802}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.150{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31D2E1304E185319407451E450C9D0A6,SHA256=17F9799C2E160DB86D2E595810771A914ED2F1AF83AEFE80F6E32EE34FB0DD6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C59D-63BE-7001-00000000A802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C59D-63BE-7001-00000000A802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.959{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C59D-63BE-7001-00000000A802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.960{3EE3745C-C59D-63BE-7001-00000000A802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:13.695{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3142572D74CA6CA48642A3D7A99F5C3F,SHA256=39C3CCA1B06BA710CB88A3B709BD107C63468A891BCB6AAB8209F2C45781E0CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:13.310{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:13.309{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44ED0EF249C8F6FAE1B0CBAA192421CB,SHA256=8BC3FA43C5DB1ABF379303ADFD2BD56536760CBCC1EC50FB6A052CDB4D67730F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.909{3EE3745C-C59E-63BE-7101-00000000A802}36523376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.831{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9305CA0E5257D0A1F8605161E34BB402,SHA256=CD403FF92471DFCCDA0320704C8E7337C809DC467387B9AD028B2D0F3C4130F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:14.400{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:14.400{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24728A99976E8E186E283CF06293CBB,SHA256=0DE7846E4BF85E08C066F98210A059EADFC342EF0ACE4C014975B5595187A2DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C59E-63BE-7101-00000000A802}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C59E-63BE-7101-00000000A802}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.643{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C59E-63BE-7101-00000000A802}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.644{3EE3745C-C59E-63BE-7101-00000000A802}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:14.284{3EE3745C-C59D-63BE-7001-00000000A802}25483972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000106684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:14.181{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000106683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:14.181{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D846792817429FACE50EBAEE4EF7F48F,SHA256=E2459DC5E51448467930847C8CCEA957D389BF3F8818F5BAB5CDA089F0FD4769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.877{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F51663448DC3F800E94340B6BA9D2A,SHA256=CBDCA46B7B26A547AA05BA433A5A225DE3BFA7B00ED930175B65299EB0825D4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:15.486{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:15.486{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B10D3F5CC2C5A7297CBD8C155A9425,SHA256=50D8512A4E6D242BB973250F7989A079B2A00ACF943B27771C7F2ED1DF3AD1B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:12.649{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50050-false10.0.1.12-8000- 10341000x800000000000000041256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.413{3EE3745C-C59F-63BE-7201-00000000A802}26482640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C59F-63BE-7201-00000000A802}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C59F-63BE-7201-00000000A802}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.132{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C59F-63BE-7201-00000000A802}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:15.133{3EE3745C-C59F-63BE-7201-00000000A802}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.991{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BDF407885AC13B5D8F5674A21B5139,SHA256=04939A8E11972610CC4B76ED50D98ABAF547A320706847A589A3C16B28C52DC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:16.578{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:16.578{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05FB5A744368F680D5E47E37822CF954,SHA256=B953BEEC69711EA7AB492FD24222A437ED08ECB67ADD09AF362AB0026F84B92C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C5A0-63BE-7301-00000000A802}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C5A0-63BE-7301-00000000A802}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.523{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C5A0-63BE-7301-00000000A802}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:16.524{3EE3745C-C5A0-63BE-7301-00000000A802}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000106690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:16.116{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000106689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:16.115{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:17.662{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:17.662{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC66EF2D472CCE3452F6AC82B924070C,SHA256=D4DE2544AF800098796C1DC01A2FA3AC463CEBB8318BEBF324C928A74BCA5C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:17.580{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EA8ABD246EB0FD16F99436034D9CECD,SHA256=3B2E2B707C3AF25607708739CBD43BEF806FA658BF4B9D3867924F49591C82A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:18.865{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:18.865{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8359EB6D0FE5B57C90797D48C718DE93,SHA256=18AE134410DCBCF238AD0458657DE494C8D85D7E7B137861AB456C4484E6156D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:18.072{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808523C8879258DB326556D7B9738799,SHA256=7D5ECF1518BED3FB62EC0E543A2C3C01761E9741407827D08FBCC3F4710FA377,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:16.052{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52034-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000106695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:15.901{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52033-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000041276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:17.712{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50051-false10.0.1.12-8000- 23542300x800000000000000041275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:19.276{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6036504501ABCA921B4B988707EEC0A4,SHA256=18BB32BA044A3577A08E2A4FB7EFEA61EBC3A5DAD295C31BDEDECCB3DBE65F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:20.366{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8128512E7EC7323161196A9F313185,SHA256=1A7553A4D1BD3FD5C0CFC8B54CDD21BCAE208F0EC4B749EB041052097D1700B9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:20.065{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:20.065{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CA3C8B4FF5238240641B518242ED89,SHA256=8DC10F398A75D2CCD65EB4D18E08A6431A9BCDD43AAB15183EC2A6B0EB80F32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:21.465{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C02C945B016AD3BF4118BAC5F6F19B,SHA256=4495E055B6E1A63F5358494CC6B3E109F541D1DA0B3AC25D5650F40313B2455D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.372{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.346{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.325{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.317{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.313{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.310{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.261{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.245{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.233{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.210{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.186{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.167{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000106709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.150{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 10341000x8000000000000000106708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.150{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000106707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.149{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B0710DC91633EFD2092056AAB84F78,SHA256=D5E64A8A6A40F5B925A93B7506286177F0837DCB924901C4CB1DA758886CDFD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.135{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.117{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.099{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.083{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:21.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000041279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:22.566{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011DB7F52BB5C9BFF5C0CDEF80BDC5A3,SHA256=CC4199986268AF0EE6395D04F645DF61C3CA618A3930923C29B92463C7637108,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:22.277{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:22.277{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C540006D71363733171C817C9D0D525E,SHA256=7D7DA593A1AFB4A3D3394E124C75232E36EC312FF54D7D0C70AA888A7C0F1BA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:22.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:22.070{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:22.064{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:22.060{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:22.052{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:22.047{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:22.037{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000041280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:23.669{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE15ECA33F89E5D51CB0BAD44B40C39A,SHA256=32C523373F0DC4EF9F4577918BAB9C1DD69B1DF9B75C6C24821D1A8DE283832A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:23.372{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:23.372{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A300AF3A949B9D1E12AAEB42A82B9FE,SHA256=EB3D8A15C60B8A8E6A240BD07FA657E30DDDB997D02D8B865930B7F306B770C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.992{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F12D8EE41675C7425B263BDCFF8173,SHA256=8F03451F26780DBB6DA39290019137240B6EB5A1EE82AE0998CD4B53F564409F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.742{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.741{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.740{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.739{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.717{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.703{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.673{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.662{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.653{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.646{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.643{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.640{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.637{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.634{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.633{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.632{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000106738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.552{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.552{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C2DA12F8A79410687EFB6869C2BA36,SHA256=9EAB8979C534ECFCB8FE8D4577F8F8104C3A19552D7E52F6B9EF30E098A4F645,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.582{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.580{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.576{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.574{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.572{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.565{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.564{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.563{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.562{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.557{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.551{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.547{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.544{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.537{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.524{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.521{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.503{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.496{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.473{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.467{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.459{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.452{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.444{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.439{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.432{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.426{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.418{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.412{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:24.408{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 354300x8000000000000000106736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:22.015{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52035-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000106735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.113{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.112{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000106733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:24.111{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 11241100x8000000000000000106756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:25.638{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:25.638{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D611EA06A4AE4E4EB41079B9A2DB16,SHA256=8CAFDE76D8A1F60B3630A6DFBBEF5BCF75EDFA80CB9C5CE7253F60B5749C9455,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:23.740{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50052-false10.0.1.12-8000- 11241100x8000000000000000106758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:26.733{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:26.733{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A6AA94BFB862BAF6A07DA67786F60F,SHA256=EE79535172479DA6E51FCE99C572F07AB5CF13C9867CE9DB34747E730CE64E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:26.170{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED74726EBAD5654970B0CC58CA052A76,SHA256=4480DA399946F797A421ABFB5A5498DECF9D7BB5BB144B483DD1407A4DB77C70,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:27.932{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:27.932{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52343862BF7E88FCE9BEA383CC8DEB5F,SHA256=980E32118F70172602F9C41E6A3EA4674E03754674A2340BF97AF55CFA7A5B56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:27.253{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5A587E008BD6FD3B38FD60C379E976,SHA256=99095D036301A075133C89894D3AC47918BA172B8F923B77859A76D6205EF626,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:27.666{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:20:27.666 23542300x800000000000000041314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:28.349{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA68DF74977889FDABFC28B271A2A4D,SHA256=6DACD653BD7550984D9E18A6BBF82966E20EC76F7DB8E508CDA952E0D283F3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:29.561{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B71F3090520A5084B1F4ECFBF71EC06,SHA256=6CD4201CECD367A6B428D5D358B80FBD988CC62E23446E2B6E6CD0CA143516F6,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000106820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:29.986{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000106819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:29.986{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x8000000000000000106818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:27.971{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52036-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000106817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.317{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000106816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.317{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.317{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000106814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.287{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.287{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.287{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000106811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.114{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.114{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.114{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.114{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.114{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.114{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.114{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.114{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.092{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.092{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.092{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.092{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.092{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.092{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000106780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000106779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000106775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000106770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.077{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.078{7DAC9CB3-C5AD-63BE-D001-00000000A702}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000106763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.030{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.030{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8F7737386A97DA53068E75CD87958A,SHA256=1738AA12A74A4D17D56A26A7AA9829F0B8304B52D903A9BD644026D5A1A5B659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:30.657{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F171C36524D57CC366A8DD40954E5BF,SHA256=3E3D7287584E29733EE838139182C7EE693B5E478E5FF152DAD9483EDB7DE908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.895{7DAC9CB3-C5AE-63BE-D101-00000000A702}54365940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.895{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.895{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000106872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.708{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.708{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.708{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.708{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.708{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.708{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.708{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.708{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.708{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000106863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000106848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000106836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000106831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.692{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.693{7DAC9CB3-C5AE-63BE-D101-00000000A702}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000106824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.235{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000106823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.235{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60514BB179B6E8621553289A8352275D,SHA256=696976EA0E30941BC25CCD25B667F83AD5115DBE24476F2E2CDC74EC325FCCE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.188{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:30.188{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656065F239714034B11DE0030002AA13,SHA256=23F34EFDFDD17D25204F5741B1DF28F9CFA5F08D658B8002C970D8759FAFE520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:31.947{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC6B16275F02179C87C4CD29B188DE8,SHA256=9B23968947F1A03306203170A5199F22F5523A9CBAD224999C0A9B1A6A5F49CC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.660{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000106936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.660{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.660{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000106934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.566{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3E0E9B8806CB10F7DAB4502AAA917E2E,SHA256=DD3063E3582172266DE4CB77F8DFB0E6323A117206576D03D04A02D10B097A00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.790{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52037-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000106932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:29.790{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52037-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 11241100x8000000000000000106931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.434{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000106930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.434{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=36F9AB350333C4505CC6D3A88220BA9E,SHA256=66559F0DB5493302BC89020E751EB5F57EC9CF2AA1290591B17943A28B32246C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.406{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.405{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.403{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.402{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.399{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.398{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.398{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.398{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.379{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000106920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.379{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.377{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.377{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.376{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.375{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.374{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.374{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.374{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.374{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.374{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.373{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.373{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.373{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.373{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.373{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.372{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.372{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.372{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.372{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.364{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.364{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.364{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.364{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000106897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.364{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.364{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000106895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.363{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000106894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.363{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 11241100x8000000000000000106893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.363{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 734700x8000000000000000106892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.363{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 23542300x8000000000000000106891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.362{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A318791DD841B260B4064AB4E02527E,SHA256=90923456AA5DB13044BCB5C4CDD005453DDD7FBF9B4C28089506F4FCCE40AFEE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.362{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.361{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.361{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000106887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.360{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.356{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.356{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.355{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.355{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000106882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.354{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.354{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.353{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.353{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.353{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.352{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:31.352{7DAC9CB3-C5AF-63BE-D201-00000000A702}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000106939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:32.997{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000106938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:32.997{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687945773517D52010F0E982C5399A67,SHA256=D710371CE56D4B583A0E8A62544336C01EB172FA7645A1F8D60A4BABDEA00096,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000106996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.582{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000106995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.582{7DAC9CB3-C5B1-63BE-D301-00000000A702}68366704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.582{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000106993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.582{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000106992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.501{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.501{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.501{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.501{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.501{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000106987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.501{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000106986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.318{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000106985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.318{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000106984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.318{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000106983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.302{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000106982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.302{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000106981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.302{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000106980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.302{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000106979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.302{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000106978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000106977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000106976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000106975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000106974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000106973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000106972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000106971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000106969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000106968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000106967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000106966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000106965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000106964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000106963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000106962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000106961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000106960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000106959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000106958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000106957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000106956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000106955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000106954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000106953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000106952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000106951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000106950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000106949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000106948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000106947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000106946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.287{7DAC9CB3-C5B1-63BE-D301-00000000A702}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:29.746{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50053-false10.0.1.12-8000- 23542300x800000000000000041318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:33.146{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8C7C123E7892237372A98303F486E9,SHA256=F64AEAA04B3EB9CAC1B2A27634B52400540EA59E88E3F8F00899C93BD09F73A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:34.246{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD2ED776B0B5B70C13C90B5EB0B5BF7,SHA256=F6255F44E113E00DC79B8619691F7DB2F536FF634EE63F066DC800840BBBB97C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000107103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.926{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.926{7DAC9CB3-C5B2-63BE-D501-00000000A702}19686072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.910{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.910{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000107099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.755{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.755{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA98E3B63F48378FE4136BE5D17DB74,SHA256=E258B42AFFA34CF837BCE75492988FF2A34836E426A78BA0E3EF666B71A39B66,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000107097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.660{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.660{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.660{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.660{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000107093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.644{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.644{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000107091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.644{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.644{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000107089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000107076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.628{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 11241100x8000000000000000107071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 734700x8000000000000000107070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000107069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 23542300x8000000000000000107066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9647658FBE0216FABEF84C2259677679,SHA256=61C8020CEDD2FCB521AF515A587B088D833274D41D80ABDCA01241638983DAA7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000107065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000107064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000107059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000107057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000107056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000107054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000107050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.613{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000107048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.615{7DAC9CB3-C5B2-63BE-D501-00000000A702}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.222{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.222{7DAC9CB3-C5B2-63BE-D401-00000000A702}60286116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.206{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.206{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.051{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.051{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.051{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.051{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000107039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.051{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.051{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000107037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.051{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.051{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000107035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.051{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.051{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000107021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000107019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000107009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000107008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000107006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000107005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000107003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000106998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.035{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000106997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:34.036{7DAC9CB3-C5B2-63BE-D401-00000000A702}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:35.320{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF1222E9F45352CBC7629DBF536E50C,SHA256=CE3411AC49F2F31FE875014653570AB3406087AB8A36DCAD4418801497B75D33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:35.753{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000107107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:35.753{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=397A8916CE3FC7B56A48E3D47F7B8547,SHA256=B2BEA5C9233B6166FC46577DD40AFE313BAC6D4C46902A988F9B364FFD7F7B8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:33.964{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52038-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000107105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:35.361{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:35.361{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEED12472CD6E5F8611689E22C4DEA33,SHA256=76A3D126CB867F9C921A077FB5F9D815B2D79B67AC94A708FE3D83B0DB95BB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:36.411{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1BCA4C9745426E86F47C62D0046400,SHA256=31A75194A23CD84E19A375D71996E7ABA8004325A248FC63BBFD24EFD4DB07F9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000107161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.702{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.702{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.702{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.549{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.549{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.549{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.549{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000107154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.549{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000107153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.549{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.549{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000107151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.549{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.548{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.547{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.547{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.547{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.547{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.546{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000107144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.546{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.546{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.545{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.545{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.545{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.545{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000107138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.545{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.545{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.543{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.542{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.542{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.542{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.542{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.542{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000107130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.541{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000107129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.541{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.541{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.540{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000107126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.540{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.540{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.540{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.539{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.539{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.538{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000107120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.538{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000107119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.537{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.537{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000107117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.536{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.536{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.535{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.535{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.535{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000107112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.535{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000107111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.535{7DAC9CB3-C5B4-63BE-D601-00000000A702}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000107110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.482{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:36.482{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0932D86C7458FC3BE7A5C86B4C5DE765,SHA256=FB0D77226439570DA3EE129781CD3A5267BCF0BA9A4828782972A95E72B17C29,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:37.723{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:37.723{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FBC643E0D4DCB2E950B43FC0343020,SHA256=DC474FF949053EF93D2FF03449BA83FD9BB913BF193817C3FB28FE015E854C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:37.480{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB2620E048C0B3DF41F02D65C35495A,SHA256=2DF7D84C682D59C91FD44F6C56B8E45B4794E553835CA5D439E3339427EE5086,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:38.907{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:38.907{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCD417312D6F4BD82F423ADDAA6F80C,SHA256=132E5EDD2A054EF0DCB6B6AE80F6B9F9869573A6A52C949C60E26576D13B69C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:38.586{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6548E4EE4531AF3328D747A0E01813,SHA256=5AE9135EEFCF03F5E68E3FCC88160FB6AC1EC148A413D60AD00D234FA6728BAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:34.839{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50054-false10.0.1.12-8000- 23542300x800000000000000041326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:39.675{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF76744547CD479DD6D8A15191C418B,SHA256=72035B6D79D6C9D3F7F242A722A60D71B260B9B2FA2707BF7F7CBE89F2F849F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:39.995{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:39.995{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD7FD3574677AEE35FAD8446D9BE807,SHA256=BDADA7538B84AE4FA52CEBE95BA20EA38D546B2BBAA2D0B89AB74A8BCC501874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:40.760{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF30E4A216F8C1C1AE032D54E5681622,SHA256=D998BFD4751B139CB28DFD9FFA3D45F7C1D8C7CBB08A9EFCB5A3549075CF77EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:38.991{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52039-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:41.847{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4790F5E2683492DD079C8B42DFE3DA,SHA256=42F756C4FA918D6A89BC40BB0636741F84DDE096297E614F37F6CBCA1B2BD2F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.961{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.959{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.949{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.945{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.933{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.930{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.926{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 13241300x8000000000000000107200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:41.512{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\EA515421-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_EA515421-0000-0000-0000-100000000000.XML 12241200x8000000000000000107199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:41.512{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\EA515421-0000-0000-0000-100000000000 11241100x8000000000000000107198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.510{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_EA515421-0000-0000-0000-100000000000.XML.TMP2023-01-11 14:20:41.510 12241200x8000000000000000107197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:41.508{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D 13241300x8000000000000000107196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:41.508{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E34D479C-2C49-4090-9B4E-1002E376DD7D.XML 13241300x8000000000000000107195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:41.508{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D\Config SourceDWORD (0x00000001) 12241200x8000000000000000107194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:41.507{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D 11241100x8000000000000000107193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.505{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_E34D479C-2C49-4090-9B4E-1002E376DD7D.XML.TMP2023-01-11 14:20:41.504 12241200x8000000000000000107192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:41.481{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000107191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.480{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.480{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.394{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.382{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.375{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.372{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.371{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.368{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.336{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.329{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.323{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.303{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.282{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.270{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.239{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.212{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.195{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.178{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000107172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.078{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.077{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101421E8F7C7FF0DEA9989C927FC08F1,SHA256=FB0B6F7880DF6BA145AF72ED8DA1F6DAE644C1C6B54E3B5F84B2F55AE16329CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.056{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.051{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000041331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:42.932{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEF45F7D1BC61CB4DC3B82BED216772,SHA256=558C55EE98748A61DA09B37207BFFB5284FA7E633A1EED252299A8F4B5D4F2D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:42.646{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:42.646{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EB37C2DA2821EAE34D17FAA3F588F5,SHA256=5419C6F3E1FC3A119334EE10A462211F85894F6F7D9322EA3FE41E602C95794A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.286{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52040-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local135epmap 354300x8000000000000000107212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:41.286{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52040-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local135epmap 10341000x8000000000000000107211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:42.335{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000107210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:42.335{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000107209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:42.335{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:42.335{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000041330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:40.669{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50055-false10.0.1.12-8000- 23542300x800000000000000041329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:42.018{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BD5B0261888245043C4F6E7204C2E4E0,SHA256=99ACDC492DDB44683EFCE9592BEC396706F5365502E2AEAD8087D80715C8F4DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:42.140{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52041-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000107228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:42.139{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52041-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 11241100x8000000000000000107227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:43.500{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000107226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:43.500{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3B95F6BBAAE221387E346DDD40D6E31,SHA256=2A16BCB6D168C13FE026344F104092263BA86C18C2A252B30550B34A4AE7322D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:43.418{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:43.418{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B936E9724AB965ED50062DE0B62A78,SHA256=3CA239716D9AF74B1CBE704921A807404CE0B8B23D2509077758F20EBB050613,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:43.402{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 12241200x8000000000000000107222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:43.340{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000107221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:43.340{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:43.340{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:43.168{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000107218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:43.168{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000107217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:43.168{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:43.168{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.652{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.651{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.648{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.646{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.619{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.600{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.570{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.563{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.551{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.545{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.543{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.540{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.537{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.535{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.533{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.532{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000107236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.421{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.421{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A94224D937B118928558CA4D7A0ADA,SHA256=49358FF25D526AAC64265A21FC65E7C42AAC8D2E275E567EFCE739667E9424AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:42.972{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52042-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000107233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:42.972{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52042-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 23542300x800000000000000041362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.755{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-029MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.669{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.666{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.663{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.660{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.659{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.655{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.654{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.652{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.648{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.642{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.629{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.623{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.620{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.615{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.605{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.602{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.578{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.557{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.520{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.512{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.502{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.492{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.480{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.469{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.459{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.451{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.441{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.427{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.419{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 23542300x800000000000000041332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:44.016{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74BC566D86C019A9B1286C06474EEE4,SHA256=517B2204C2A0508B17FBC8AE4A3B12F11900A69D5AED1F8271A1C3D7CD9A5EB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000107230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:44.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000107286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.893{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.893{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A16772DF541D0297E1BF08FA054CA4,SHA256=15D1AF8B12FF5A8D6E6A5780ECFC9E0BC5554EA680EFCA5008B051915A26ED00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:43.992{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52043-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:45.760{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:45.265{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA594A1E441A8138231D88CB38E26C0,SHA256=C65BE971B055B387DDAAB39850DAC1590A149DA09465637EABE76DFBF176FCE8,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000107283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000107276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.034{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.034{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.034{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000107273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.034{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.034{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.034{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.034{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.034{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.034{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.034{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.032{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.031{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.031{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.031{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000107262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.031{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000107261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.012{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000107260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.012{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000107259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000107258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000107257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000107256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000107255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000107254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000107253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:45.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000107290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:46.847{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:46.847{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D4B0F0DBBEF1C499D543D011F9C707,SHA256=AB1A2582C4A548044F37BC3143BFDDE4FCB14E8F2B40CD78AC0E5ECFD93518B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:46.283{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986AAD69D762D51B3B5BEF0A0CD9B65E,SHA256=9C5D12F57AF22A30CEAD477B01DFDCF4E14CE687848A09C85D5EA2F552944E70,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:46.425{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:46.425{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x8000000000000000107306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.924{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.924{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33411A60FFB5DAB5F89569584FB3E9E3,SHA256=8A772AD311C3BC89301746536FCB11C5414459570ED5E8A28F3F7C0E27F83C73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:45.732{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50056-false10.0.1.12-8000- 23542300x800000000000000041366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:47.378{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C74E7E30E353410A7223637FCB100C,SHA256=3D425F52C068981C3A40AE369BE1F41C98C2C632860DC4C1689657DD7166CDF0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:47.252{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:47.252{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Abgrcnq++\abgrcnq++.rkrBinary Data 12241200x8000000000000000107302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:47.237{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000107301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.237{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000107300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:47.067{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:47.067{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x8000000000000000107298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.067{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405012C:\Windows\Explorer.EXE{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4f465|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.067{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405012C:\Windows\Explorer.EXE{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4f37e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.067{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405012C:\Windows\Explorer.EXE{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4f347|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000107295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:47.051{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 10341000x8000000000000000107294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.051{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4ede0|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.051{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+122b80|C:\Windows\System32\SHELL32.dll+4ed9c|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.051{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4ed70|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.051{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ca69|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000107349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.998{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x8000000000000000107348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.998{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x8000000000000000107347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.998{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000107346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.998{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000107345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.998{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d925c7) 13241300x8000000000000000107344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.998{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xe718222a) 13241300x8000000000000000107343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.998{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d925c7) 13241300x8000000000000000107342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.998{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xe7050f7b) 12241200x8000000000000000107341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.998{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x8000000000000000107340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.997{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x8000000000000000107339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.997{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x8000000000000000107338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000107337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000107336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x8000000000000000107335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x8000000000000000107334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 12241200x8000000000000000107333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x8000000000000000107332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x8000000000000000107331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x8000000000000000107330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 12241200x8000000000000000107329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x8000000000000000107328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x8000000000000000107327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x8000000000000000107326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.982{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE84-63BE-0100-00000000A702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97e62|C:\Windows\system32\kerberos.DLL+79f68|C:\Windows\system32\kerberos.DLL+1451f|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+32ce5|C:\Windows\system32\lsasrv.dll+30b6b|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 12241200x8000000000000000107325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.982{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000107324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.982{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000107323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x8000000000000000107322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.982{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 23542300x800000000000000041368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:48.473{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB86164F03D17772218B9D4AD6269C4E,SHA256=E6B55A2844571D485DCB599836C2ED6B22ECF5CED51ACD2F4E9F0D2B63BF24C9,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000107321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.872{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000107320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.872{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000107319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.872{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000107318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.872{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x8000000000000000107317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.872{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000107316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:48.872{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-661.attackrange.local 12241200x8000000000000000107315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.872{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x8000000000000000107314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.872{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x8000000000000000107313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.872{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000107312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.872{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000107311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.872{7DAC9CB3-BE87-63BE-0B00-00000000A702}636676C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000107310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.872{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x8000000000000000107309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:48.872{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 354300x8000000000000000107308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.045{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52044-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local445microsoft-ds 354300x8000000000000000107307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:47.043{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52044-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local445microsoft-ds 23542300x800000000000000041369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:49.694{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7067D7B8F2DD6505BF3F6FBBBC7BED,SHA256=35891E3B32BC12C87F331F9B91186691D8457D1C3B5051AA67FB52EB2F046095,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:49.045{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:49.045{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619977D81651D45704F4051A906E3678,SHA256=0D8AE328AFDF19304DE00F12F5E2B540ED65972D798904E337B9513442922289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:50.889{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473ED42BB9624CE9A7155927991BED8A,SHA256=B5D088CEED3532D2DBBA8E18499A113EA4E76A75B3EA4653398276190E13D463,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.688{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52048-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000107364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.688{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52048-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000107363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.680{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52047-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000107362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.680{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52047-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000107361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.680{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52046-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local49666- 354300x8000000000000000107360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.680{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52046-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local49666- 354300x8000000000000000107359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.679{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52045-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local135epmap 354300x8000000000000000107358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:48.679{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52045-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local135epmap 11241100x8000000000000000107357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:50.413{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:50.413{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4691BC2A52916E9C84D20A711BECF4,SHA256=CE11A11BFC50B50962481D9E6FA857D8804FCD8BE04393202A0AB971C6464598,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:50.257{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:50.257{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x8000000000000000107353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:50.041{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000107352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:50.040{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CFFF4B21110F67B7CCDC5BAA05FAA7A,SHA256=2E120FD8E6DF61CFB3DB46F17BB8CB50D057B9597078C965D5503AD859FB42B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:49.921{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52049-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000107377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:51.152{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:51.152{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498B17C85EDD0A897221466FE0F5C295,SHA256=8832258EAAC3236C9C1D1E883CE711BBCF6D3752AA1878AD28C74A51246D7C61,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:51.022{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000107374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:51.022{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:51.022{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x8000000000000000107372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:51.022{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405012C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4f465|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:51.022{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405012C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4f37e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:51.022{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405012C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4f347|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:51.022{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4ede0|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:51.022{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+122b80|C:\Windows\System32\SHELL32.dll+4ed9c|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:51.022{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4ed70|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:51.022{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ca69|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000107380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:52.474{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:52.474{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937174E9730E74047671072B53ED13D7,SHA256=39A072A3F65181700A4D7780085770FA5DEDC812902BCAFBFF47FCDB69C5762D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:52.086{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4BA1A62C305D32C278895E58C7E221,SHA256=B1E7EECD00EDC7253FB608D53304CC3D96BC7E3552F143EA61CC889C367F6044,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:53.561{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:53.561{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03270E4C51986100FD6FF84E8643C9FE,SHA256=C64423F4BAADD752A652FDA6D38C34C6A2A5AECFF777D678C086CB45AC9BC85E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:51.632{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50057-false10.0.1.12-8000- 23542300x800000000000000041372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:53.278{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F80D7CDD4A9BEB4B079DC9692D190F,SHA256=157D5F154701E084865379D5C964F7EFB70AA29C34192BD3267D584BC5A10D47,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:53.142{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:53.142{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 13241300x8000000000000000107381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:53.142{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 11241100x8000000000000000107387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:54.643{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:54.643{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0E16286C3DA64B6686380341D87EFB,SHA256=459A4BE5E452821FC27ADC70E148CD47576FF2B7B3079863979398294D690E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:54.373{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E504F5F8E921E6F07A9E746D221CB4C,SHA256=A7DEE7977990CB737A1AB17E3A454B30023239D0BCE19E650B9CE5FBBDA51ECA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:55.762{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:55.762{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63F7A6D792A377F59A4E56D7CDE1BA2,SHA256=074A90C5DAFAA357699803ED937B3C0E1375E9D9E781C2F25B47337D047B46E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:55.495{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD9294EA418B857CF1FD8DA72CB5FEA,SHA256=205641205765130AB2E45CA53F1C7809D4F7D52BF200AA9E226DCA0C16E8BB39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:56.847{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:56.847{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59510E0B1F40DEFE1335530755016491,SHA256=B92ECA122E86CD9DFAA6A1E026468898809BD9811FBC9B24E4C0ADA1FC49B896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:56.578{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39698B0C5CED8AFA40AC834EF2DC196,SHA256=3E5B0FFF91F952A92AD9E7D3F6BBBC2574D1F8C5203B32DD97D9321E8A7839D8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:56.142{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:56.142{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000041377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:57.798{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8858A2C3A493F9149F00B6A13B0CB46D,SHA256=7EC721B33793527FF6A1B2A5030805AC74E345CE84A8AA11A4A67555099D8D84,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:57.672{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:20:57.672 12241200x8000000000000000107429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteKey2023-01-11 14:20:57.473{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000008008C 13241300x8000000000000000107428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.422{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000107427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:57.422{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000107426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.422{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000008008C\VirtualDesktopBinary Data 12241200x8000000000000000107425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:57.422{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000008008C 13241300x8000000000000000107424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.407{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000107423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:57.407{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000107422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.407{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000107421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:57.407{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000107420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.391{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000107419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.391{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000107418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.391{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000107417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.391{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000107416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.391{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000107415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.391{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000107414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.391{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000107413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.391{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000107412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.391{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000107411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.391{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000107410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.375{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 10341000x8000000000000000107409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:57.375{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405012C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4f465|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:57.375{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405012C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4f37e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:57.375{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405012C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4f347|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+80fa7|C:\Windows\System32\windows.storage.dll+7fd33|C:\Windows\System32\windows.storage.dll+7e25f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4db7f|C:\Windows\System32\SHELL32.dll+4ede0|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+122b80|C:\Windows\System32\SHELL32.dll+4ed9c|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+4ddd4|C:\Windows\System32\SHELL32.dll+4ed70|C:\Windows\System32\TwinUI.dll+12cc31|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50404148C:\Windows\Explorer.EXE{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ca69|C:\Windows\System32\TwinUI.dll+12d71f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000107402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000107400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x8000000000000000107399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000107398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\31\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 13241300x8000000000000000107397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKeyDWORD (0x00000000) 13241300x8000000000000000107396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmdDWORD (0x00000001) 13241300x8000000000000000107395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlagsDWORD (0x00000000) 12241200x8000000000000000107394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:20:57.360{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell 23542300x800000000000000041380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:58.879{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B17D673AC4EF48239146EE628E29FEC,SHA256=9C000B25E58E23AF58259D94749EE5EF70652242310E060FB15D6979E5277B39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:58.226{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:58.226{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E0A954FCDFA59EDD3DFB67A538E302,SHA256=A72E99E3928EB443D3682DFFE7530BD42B278811A75EB3605032E7F12BD0DCD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:55.926{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52050-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000041379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:56.795{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50058-false10.0.1.12-8000- 23542300x800000000000000041378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:20:58.031{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DC2EDFC09233746FF2A4F82E91B7E375,SHA256=AAAAFA0EADE0F6406316CABA32D1E45B82A660D206EE3991C5C4D15E9EA3F61A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:59.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:20:59.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B11486CE0DF9BCEA18892A77656097,SHA256=3CCF7AD726595143D6F014627B204C22FA59C03DDFE6F2C7BBBC9523FD477637,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:00.928{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:00.928{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 13241300x8000000000000000107441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:00.912{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 23542300x8000000000000000107440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:00.912{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C7224DD5681D26DAC8FAD16AABCADB6E,SHA256=3945FBDB4C284BA11EBB88FE04C857219A97BF88839E45DECC08F4720501D140,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:00.474{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:00.474{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA6B910405EA3FA6546D0A536855F17,SHA256=527A422B6970AE03EBDFB6A57615E8E5F6C75E8D1E1F55967FDD4C45AEE925B1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:00.381{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:00.381{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\pzq.rkrBinary Data 23542300x800000000000000041381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:00.074{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854A06AF78A72ADC38E575A4702E7B33,SHA256=E26ED66586901A428BCDDDA9EDFDEED91B374BBDBD883B9C132FCEF6882472BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:01.157{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3FAB18BE109BDAEBF75DE5F0DAB495,SHA256=BEA7512784F6885D7321728C6C251C6D309ABBA28CB5B03FD8D5DEA8ACB5967E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.946{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.938{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.932{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.930{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.921{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.918{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.914{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000107475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.436{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.436{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025D17BFDE586A0B0411516B4E812020,SHA256=61CAE37FA244390F0C9C7FE6472244FB29DD2D81A27546EB2AAF43017CB7687D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.431{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKeyDWORD (0x00000000) 13241300x8000000000000000107472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.431{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmdDWORD (0x00000001) 13241300x8000000000000000107471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.430{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlagsDWORD (0x00000000) 13241300x8000000000000000107470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.430{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x1024x96(1).bottomDWORD (0x000002d5) 13241300x8000000000000000107469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.430{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x1024x96(1).rightDWORD (0x000003ed) 13241300x8000000000000000107468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.430{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x1024x96(1).topDWORD (0x00000054) 13241300x8000000000000000107467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.430{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x1024x96(1).leftDWORD (0x000000cd) 13241300x8000000000000000107466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.430{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x1024x96(1).yDWORD (0xffffffff) 13241300x8000000000000000107465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.430{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x1024x96(1).xDWORD (0xffffffff) 13241300x8000000000000000107464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.428{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x1024x96(1).yDWORD (0xffffffff) 13241300x8000000000000000107463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:01.428{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x1024x96(1).xDWORD (0xffffffff) 10341000x8000000000000000107462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.313{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.297{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.290{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.286{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.282{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.280{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.245{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.231{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.202{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.183{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.167{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.141{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.127{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.116{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.093{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 23542300x800000000000000041383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:02.361{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF7A6625D9616A66E5911DF932E3918,SHA256=B647DE83C4B1713DD943C1CC25CC6F6F202EB4745BEA9DA9A62D5F6EF1011597,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:02.476{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:02.475{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811682DF7D008C10B29D284197BF6CC0,SHA256=69DE79640904AACF94894C2045E8FDBAB3FDD7EAAA81BF1F9F0E4E4B8876DE7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:02.227{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-029MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:02.226{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0292023-01-11 14:21:02.226 11241100x8000000000000000107485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:02.224{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0302023-01-11 14:21:02.224 11241100x8000000000000000107484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:02.134{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-11 13:51:01.788 23542300x8000000000000000107483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:02.134{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3369347606A6A84C64EAD9C5BAC1DACD,SHA256=F2ECDFBBD45AF3F0AA147DBAB1C8C747AF3E0FDD1BFD149E084CB434B3A55FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:03.464{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F7272DC49CCDC19D6E3FC9E2DF626F,SHA256=3FD26E27F87D48B231ABD78536BFEE5EF59D9814AA2A85B2F389F7CBEF0D2AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:03.977{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:03.976{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:03.975{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 13241300x8000000000000000107495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:03.943{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:03.943{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x8000000000000000107493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:03.552{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:03.552{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0655A0FD08BEE03000B52166CC9C9F58,SHA256=373CDF717AFA33661ABA0A54C003C639FC7E7C472922E99A31EB191E8F8ECA03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:03.233{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:01.030{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52051-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000041415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.841{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.838{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.833{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.827{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.825{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.822{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.821{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.818{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.813{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.806{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.787{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.782{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.774{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 354300x800000000000000041402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:02.743{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50059-false10.0.1.12-8000- 10341000x800000000000000041401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.757{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.734{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.730{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.707{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.694{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.653{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.638{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.621{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.611{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.581{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 23542300x800000000000000041391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.553{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D34D973F5150A7006D262FBE377EC2D,SHA256=9D24C39336E515BD9908306937446A7FD704CAB3951B474DB171DFC49D650C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.533{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.505{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.488{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 11241100x8000000000000000107518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.828{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000107517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.828{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F22484365AA31E12493D5BB98A9660E1,SHA256=E7422DFC8B1DBF726FA585E351C68E43630AA1E049B8965732D60541D6CE8C2F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.750{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.750{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B1D810B9587EA0E2EBE466E65635D5,SHA256=4C62461BE33E14AD03B9E82EC944958DEA2379B0CC72F609DF3C9493E060DF24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.666{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.659{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.658{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.656{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x800000000000000041387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.448{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.431{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:04.427{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x8000000000000000107510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.630{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.611{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.560{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.541{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.525{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.513{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.508{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.502{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.500{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.496{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.494{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000107499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:04.490{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000107520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:05.949{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:05.949{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C87A9C4AA4C433C3C4F67F400229C4,SHA256=5FC17605D384E818981B0185F4978323D0BEB2D13BE3EB0F88573D4E74DEACCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:06.018{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B3B2BA46370DA516C4B0BAD7BD8F6A,SHA256=063F6E52F69758FE4B9CD41B31FE62D53C488FFDAC8A8158C6E0836B89E2F43B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:07.817{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:07.163{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5893CBF08803D55F0C19E7F57A41E1,SHA256=FC18D5D366C495BB312031269609D5DF1A6EE2323DD0ED1BB6A6CB398A0FE46E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:07.036{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:07.036{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1972F39C628542A757C86CC7879BF0BC,SHA256=005D4E551F0664AA01EA7484C3B593745E264B4818C9B16129C715B8C4372130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:08.242{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A2703F3B72753F33FB27D8DFAA3865,SHA256=7E624AAD6E60000CFAF7EEA2DCED137BE921D0660B8109B0AC9C7A562B37C9E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:08.121{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:08.121{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED5ED1110282B8865EE7CE090CA110F,SHA256=DEB6ED372276B6A39EFBD1C0F07CF1B09D1057054496F231670FC978DA2BD8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:09.541{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C7ED73028157528F7C4ECC6B50B134,SHA256=AFCF6C63034A2AA979791A064941EAE7350D1DB47809A1794E30B26DFAEC282C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:09.495{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000107552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x8000000000000000107551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ea515421-0000-0000-0000-100000000000} 12241200x8000000000000000107550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0 12241200x8000000000000000107549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3 12241200x8000000000000000107548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x8000000000000000107547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x8000000000000000107546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0 12241200x8000000000000000107545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3 12241200x8000000000000000107544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x8000000000000000107543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000107542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x8000000000000000107541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000107540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000107539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0 12241200x8000000000000000107538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3 12241200x8000000000000000107537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 12241200x8000000000000000107536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 12241200x8000000000000000107535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0 13241300x8000000000000000107534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListExBinary Data 12241200x8000000000000000107533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3 12241200x8000000000000000107532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 13241300x8000000000000000107531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000107530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 13241300x8000000000000000107529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000107528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:09.405{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 354300x8000000000000000107527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:06.855{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52052-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000107526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:09.202{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:09.202{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E313517E9F9BAB6DA1DCC7C80B0B49F2,SHA256=047C88C6B82E9240798B4AB176639100940295066899B2AE5EC1A4DF5726EA36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C5D6-63BE-7401-00000000A802}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C5D6-63BE-7401-00000000A802}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.958{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C5D6-63BE-7401-00000000A802}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.959{3EE3745C-C5D6-63BE-7401-00000000A802}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:10.640{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B26668A150870245EE009D5682AB1A,SHA256=AE6E54C8A52F2EA932A7B85807884E89E4F266FA3882BCECAD31566F11F1C16E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:10.292{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:10.292{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D086ED678E0FF8647021B5D90B6EC0F,SHA256=A2E639F2281415A476836E53D9C0538EE7FBEDB6A075CB99A9FE34B76963D3DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.707{3EE3745C-C5D7-63BE-7501-00000000A802}2972852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000107557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:11.370{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:11.370{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD19A1B372810F739DF5A254EFFE8D89,SHA256=D87223DB4CB2C4BFE0157D0A1273E0A4F731D7F02D719DE4D752D7138AC83A10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C5D7-63BE-7501-00000000A802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C5D7-63BE-7501-00000000A802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.519{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C5D7-63BE-7501-00000000A802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:11.520{3EE3745C-C5D7-63BE-7501-00000000A802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:09.072{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50061-false10.0.1.12-8089- 354300x800000000000000041436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:08.635{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50060-false10.0.1.12-8000- 10341000x8000000000000000107555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:11.231{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.832{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C6D8ACDE816849A8F5F169E04EDFE5,SHA256=7654A7835D174C8E28F364D07F321A7F9EE53AD46FCC8936D4E9521E69EBF4FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.986{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000107648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.986{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CF0F885E80D59CB9EF6F6A2474C3F8CD,SHA256=8DE3CECBAE0CED934EFD94CA8AF5259D48711C7844D42109EDC2C008B6DA2B98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.920{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.920{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.919{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.916{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x800000000000000041468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.190{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C6CC171C4C7F07F7AE222C95EB2A15F5,SHA256=40122B2B79E8187D1A4841482FC07C3E58BCF9665F828EBE23667584143E88B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.128{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71F8E0F51444B82F19318FC10EAD21F8,SHA256=DC46F7575EEC302947D7B1BBA060D1C34CC9C5142D558D06319E7D20F48F6E49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C5D8-63BE-7601-00000000A802}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C5D8-63BE-7601-00000000A802}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C5D8-63BE-7601-00000000A802}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.053{3EE3745C-C5D8-63BE-7601-00000000A802}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48ACFCF93F8D345D9EF2BFC937CD02F,SHA256=FD044960CE92B00D664E15D10F922164B467633428AA8761E057D55CBFFEE7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:12.049{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4A0DCCDC43B45579D88DBCCAC61C7299,SHA256=039AE728C2E391E122F0AF3C2BA209D0066F13949D7FB4FC654B875E788333AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.911{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.911{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.757{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.741{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x8000000000000000107639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.741{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x8000000000000000107638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.726{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 13241300x8000000000000000107637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:12.726{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Temp\Downloads\svchosts.exeQWORD (0x01d925c7-0xf53ccfbe) 12241200x8000000000000000107636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.726{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll 734700x8000000000000000107635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.726{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 734700x8000000000000000107634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000107633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000107631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000107623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.576{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 12241200x8000000000000000107622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000107621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000107620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000107619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000107618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000107617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x8000000000000000107607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.539{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 12241200x8000000000000000107606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.554{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000107597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.554{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000107596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.554{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.539{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.539{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 12241200x8000000000000000107593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.539{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000107592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.539{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000107591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.526{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Temp\Downloads\svchosts.exe0.0.0.0 --svchosts.exeMD5=63D533FB228E802C9C774EF75FF043FA,SHA256=240AC12F9C13EF1FDFBC77E16978F0423A41A3CC1C3DCB8786BA8E7672811F0B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 734700x8000000000000000107590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.539{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 12241200x8000000000000000107589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.539{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 734700x8000000000000000107588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.539{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000107587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.539{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=4C76812B58E0B647D28D6FCEFC6702AF,SHA256=76CF6D4562438A4F51D526C1A9962F7174490A553CC9897C9F60A96702EEB680,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x8000000000000000107586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.539{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 734700x8000000000000000107585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.526{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 12241200x8000000000000000107584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.526{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000107583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.526{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x8000000000000000107582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:12.526{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{BC2DD216-EA22-47B4-B675-D8881C7C4D70}\LaunchCountDWORD (0x00000001) 13241300x8000000000000000107581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:12.526{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{BC2DD216-EA22-47B4-B675-D8881C7C4D70}\AppIdC:\Temp\Downloads\svchosts.exe 13241300x8000000000000000107580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:12.526{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{BC2DD216-EA22-47B4-B675-D8881C7C4D70}\LastAccessedTimeQWORD (0x01d925c7-0xf51e3ee0) 12241200x8000000000000000107579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.526{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{BC2DD216-EA22-47B4-B675-D8881C7C4D70} 12241200x8000000000000000107578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.526{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x8000000000000000107577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:12.526{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000107576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:12.526{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Grzc\Qbjaybnqf\fipubfgf.rkrBinary Data 734700x8000000000000000107575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.526{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 12241200x8000000000000000107574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.526{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 10341000x8000000000000000107573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.526{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000107572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:12.526{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\Downloads\svchosts.exeBinary Data 12241200x8000000000000000107571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.526{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 10341000x8000000000000000107570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.510{7DAC9CB3-BE89-63BE-1000-00000000A702}1001036C:\Windows\System32\svchost.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.510{7DAC9CB3-BE89-63BE-1000-00000000A702}1001036C:\Windows\System32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.510{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.510{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.510{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.510{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.510{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23443600C:\Windows\system32\csrss.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000107563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.510{7DAC9CB3-BF8F-63BE-AD00-00000000A702}50405508C:\Windows\Explorer.EXE{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+7664b|C:\Windows\System32\windows.storage.dll+76361|C:\Windows\System32\windows.storage.dll+75fae|C:\Windows\System32\windows.storage.dll+77250|C:\Windows\System32\windows.storage.dll+75cfe|C:\Windows\System32\windows.storage.dll+9ccc5|C:\Windows\System32\windows.storage.dll+9d044|C:\Windows\System32\windows.storage.dll+9c680|C:\Windows\System32\windows.storage.dll+63ffa|C:\Windows\System32\windows.storage.dll+63d52|C:\Windows\System32\SHELL32.dll+a13e9|C:\Windows\System32\SHELL32.dll+9ff96|C:\Windows\System32\SHELL32.dll+92739|C:\Windows\System32\SHELL32.dll+536be|C:\Windows\System32\SHELL32.dll+17447c|C:\Windows\System32\SHELL32.dll+1741d3|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000107562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.521{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0.0.0.0 --svchosts.exe"C:\Temp\Downloads\svchosts.exe" C:\Temp\Downloads\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=63D533FB228E802C9C774EF75FF043FA,SHA256=240AC12F9C13EF1FDFBC77E16978F0423A41A3CC1C3DCB8786BA8E7672811F0B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 11241100x8000000000000000107561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.462{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:12.462{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F92D5374E3AE3A32AC0ED8778962A6,SHA256=530A0651C026958F799C406E6197B0C41969F0AD98C87485EA48B0E391797EFB,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000107559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.337{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x8000000000000000107558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:12.337{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ea515421-0000-0000-0000-100000000000} 10341000x800000000000000041482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.991{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C5D9-63BE-7701-00000000A802}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.989{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.989{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.989{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.989{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.989{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.988{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.988{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.988{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C5D9-63BE-7701-00000000A802}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.988{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.988{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.988{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C5D9-63BE-7701-00000000A802}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.988{3EE3745C-C5D9-63BE-7701-00000000A802}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000107668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.576{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000107667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.576{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E4D2B61444A7E743E4CCC6809A563E0,SHA256=D71A0137D973D1C535EB94BA6C46D3D3D015AEC45C93B88D869BA8E681B9DF5D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.497{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.497{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F4342D97B1471656E8D68BD825CEFC,SHA256=F8758AB5259C3D73712443623233386C1201E29FD5083E6DDF7FD5AC680710A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.310{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.294{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.279{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.263{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.250{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.235{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.235{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.235{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.235{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.218{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll4.8.4545.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000false-Unavailable 11241100x8000000000000000107654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.080{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.080{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB8A11BAB82A931D35D4A6CF2E8C7A8,SHA256=981C9E4F256F9D6D9D787C64545ABE45EFBB281C3A0C2288C475281C5685F3A9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000107652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.061{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 734700x8000000000000000107651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.030{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:13.030{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=06E661551B61E29907B1CF0D4EBB955B,SHA256=E62035FBB0E5259597695708F9B10FDD5D5FF5459D659EAB880FA265E8E8DF2E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 11241100x8000000000000000107681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.572{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.572{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5283D4A708154E3F0D0F523BC7168A72,SHA256=A14126FE84C598E6C7A3C12419350C019459243ACA11C90236D5F7D800B10650,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.541{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000107678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.541{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000107677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.541{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000041504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.905{3EE3745C-C5DA-63BE-7801-00000000A802}27842780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.884{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C5DA-63BE-7801-00000000A802}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.884{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C5DA-63BE-7801-00000000A802}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.884{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C5DA-63BE-7801-00000000A802}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.884{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C5DA-63BE-7801-00000000A802}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.884{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C5DA-63BE-7801-00000000A802}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.884{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C5DA-63BE-7801-00000000A802}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C5DA-63BE-7801-00000000A802}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C5DA-63BE-7801-00000000A802}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.654{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C5DA-63BE-7801-00000000A802}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.655{3EE3745C-C5DA-63BE-7801-00000000A802}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.154{3EE3745C-C5D9-63BE-7701-00000000A802}27721304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:14.029{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2603AA9B02AFA4DE040337651E9C1969,SHA256=44D8A91BA6DA4BBC403E45C96E87B61A8013725E8F3E81F06E90186FCC1286A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.509{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.509{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.493{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.493{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.462{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.446{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:14.446{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 354300x8000000000000000107669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:11.986{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52053-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000041520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:13.761{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50062-false10.0.1.12-8000- 23542300x800000000000000041519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.548{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8992660DD6A687DAAC0BBDDB7DE1071A,SHA256=122BD4DD4A338CD1005777BDA3DC207EEAB77B5F92539527F497845A17778FD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.530{3EE3745C-C5DB-63BE-7901-00000000A802}24562368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C5DB-63BE-7901-00000000A802}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C5DB-63BE-7901-00000000A802}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.327{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C5DB-63BE-7901-00000000A802}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:15.328{3EE3745C-C5DB-63BE-7901-00000000A802}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.961{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.958{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.942{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.942{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.942{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.942{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.942{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.926{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.926{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.895{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.895{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.880{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.864{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.864{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.833{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.786{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.755{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 11241100x8000000000000000107691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.661{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.661{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B2CEA1AA9278FADF987A8A15815749,SHA256=B0F135E8626340D81E40A5B489FD0BB71095F3D5DA3FDB68D2BE0C60E442EC67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.598{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.567{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.489{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.489{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.473{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.473{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.458{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.038{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x800000000000000041534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C5DC-63BE-7A01-00000000A802}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C5DC-63BE-7A01-00000000A802}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.545{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C5DC-63BE-7A01-00000000A802}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.546{3EE3745C-C5DC-63BE-7A01-00000000A802}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:16.451{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83BE94E9951C1019B338DF4DCBC7254,SHA256=AF086F317D3BA86E3BC8E4E93D3D4F20DC25045FFC2BED8DEB44727D36538C46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.603{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.603{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EF16E499D50E7C6C3258B79FBAA53D,SHA256=52D54CB89289E27FEF9CD1E292FDA06E765A7FA8AD7A617C025EDBFD86B371A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.510{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.510{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82317F2B3401C52A8D26CD58F1A418F,SHA256=782908009EB3C0B449AC781DD87B54CEF04FF978295501B4D6181CDE14275867,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.432{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.416{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.416{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.400{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.385{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.385{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.385{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.385{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.385{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.385{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.385{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll4.8.4545.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000107865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.385{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 734700x8000000000000000107864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=06E661551B61E29907B1CF0D4EBB955B,SHA256=E62035FBB0E5259597695708F9B10FDD5D5FF5459D659EAB880FA265E8E8DF2E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 12241200x8000000000000000107862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000107861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000107860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000107859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000107858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000107857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000107853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 12241200x8000000000000000107852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000107838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 12241200x8000000000000000107837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000107836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x8000000000000000107835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 13241300x8000000000000000107834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:16.369{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\svchosts.exeQWORD (0x01d925c7-0xf768b84f) 12241200x8000000000000000107833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll 734700x8000000000000000107832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 12241200x8000000000000000107831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000107830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 12241200x8000000000000000107829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000107828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 12241200x8000000000000000107827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000107826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000107825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000107824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000107823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000107822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 734700x8000000000000000107806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 12241200x8000000000000000107805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000107803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000107802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 12241200x8000000000000000107801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.369{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000107800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.369{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000107793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x8000000000000000107792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000107791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000107788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x8000000000000000107787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000107786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000107785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 734700x8000000000000000107784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\svchosts.exe0.0.0.0 --svchosts.exeMD5=63D533FB228E802C9C774EF75FF043FA,SHA256=240AC12F9C13EF1FDFBC77E16978F0423A41A3CC1C3DCB8786BA8E7672811F0B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x8000000000000000107782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23443600C:\Windows\system32\csrss.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000107781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-C5D8-63BE-D701-00000000A702}44087132C:\Temp\Downloads\svchosts.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+7664b|C:\Windows\System32\windows.storage.dll+76361|C:\Windows\System32\windows.storage.dll+75fae|C:\Windows\System32\windows.storage.dll+77250|C:\Windows\System32\windows.storage.dll+75cfe|C:\Windows\System32\windows.storage.dll+9ccc5|C:\Windows\System32\windows.storage.dll+9d044|C:\Windows\System32\windows.storage.dll+9c680|C:\Windows\System32\shell32.dll+9e83f|C:\Windows\System32\shell32.dll+9e6cc|C:\Windows\System32\shell32.dll+9e41c|C:\Windows\System32\shell32.dll+11ed57|C:\Windows\System32\shell32.dll+11ecb5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd65|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+633e85|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6893 154100x8000000000000000107776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.355{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0.0.0.0 --svchosts.exe"C:\Users\Administrator\AppData\Roaming\svchosts.exe" C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=63D533FB228E802C9C774EF75FF043FA,SHA256=240AC12F9C13EF1FDFBC77E16978F0423A41A3CC1C3DCB8786BA8E7672811F0B,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe"C:\Temp\Downloads\svchosts.exe" 10341000x8000000000000000107775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.353{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000107774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000107773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 12241200x8000000000000000107772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000107771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000107770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000107769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000107768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000107767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000107766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000107764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 12241200x8000000000000000107763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000107751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000107750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000107749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000107748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x8000000000000000107747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000107746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x8000000000000000107745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000107744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x8000000000000000107743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 12241200x8000000000000000107742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000107741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000107739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 10341000x8000000000000000107738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.338{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000107737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000107736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000107735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:16.338{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x8000000000000000107734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.322{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000107733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.322{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000107730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-BE89-63BE-1600-00000000A702}1300424C:\Windows\System32\svchost.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000107727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 11241100x8000000000000000107726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Users\Administrator\AppData\Roaming\svchosts.exe2023-01-11 14:21:16.307 734700x8000000000000000107725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000107724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000107723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000107722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000107721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\windows.storage.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=9EFC3C32A8E79CFD4BBB82124A55004E,SHA256=B81FDD83CD5E2D98086CA4432C4DD88AD4C0D7B81C9577F6925856C43DAA5090,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000107720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}4408C:\Temp\Downloads\svchosts.exeC:\Windows\System32\shell32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D62656C29B0DDCDF5AF807AB797D471E,SHA256=50114D3B5404D20F3F07B962B02DAF462501F78B305BEB8DCAC836769FC6D228,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000107719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.307{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.291{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.213{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.213{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.182{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.151{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.126{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 11241100x8000000000000000107711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.124{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000107710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.124{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:16.121{7DAC9CB3-C5D8-63BE-D701-00000000A702}44086648C:\Temp\Downloads\svchosts.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 23542300x800000000000000041536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:17.668{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44A761CB6D8B0535A194E1A1F9ADC396,SHA256=2C86ADF850468C0AA4748F0C19A52C050525CE7D14395D5988ADE1C806EB1F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:17.528{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642FF8289E71BA14D5B3F89C11F35E25,SHA256=0F312531F382CD70FA6245691B885AFB8BB600A7F2FCEC2B07E898F1A21B8436,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.824{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 11241100x8000000000000000107896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.684{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.684{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EADFC4452BE50917D6A2083EF073FD,SHA256=82DFACACE835F676B759859275DB6BCA74F169E2AA41B7EF3BCACB146C08C54C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.418{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.418{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.402{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.402{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 354300x8000000000000000107890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:15.923{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52054-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000107889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.371{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.355{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.340{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.012{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.012{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.012{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x800000000000000041537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:18.733{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4325B5F19A08AF1293C894BB5852794B,SHA256=A3941577128073D4A271C00814BD4A22FD347498482DD48AD0FBADAF3AD2DF03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.998{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.915{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.915{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.883{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 11241100x8000000000000000107929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.852{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.852{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078AEA9D4F815BAED81B61F78F5746A9,SHA256=D0477578861354A8AEA40AA6B0B4804A88E0932BEC4EE0B320D692403168AAD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.838{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.805{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.805{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.680{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.664{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.664{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.664{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.664{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.664{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.649{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.633{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.633{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.618{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.618{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.602{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.586{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.586{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.555{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.508{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.480{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.449{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000107906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.449{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000107905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.449{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000107904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.355{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.324{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.230{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.201{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.183{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.183{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:18.183{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 23542300x800000000000000041538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:19.824{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2788EDF6B3D48718552FF25BDE3A6899,SHA256=D84CAFD53A0EAB39A8F0C9CC229D41BD0BDBE66E43F3A8EAE42D886463A0CD91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.864{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000107950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.864{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2687DC0779A8B25E32D10E55653E6D9,SHA256=FADDACBF2AED2D9752DC92FACE64F2F86F7C8189AA6E302DFC06D4B09DBCCA80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:17.987{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52055-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000107948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.023{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Documents\read_it.txt2023-01-11 14:21:19.023 11241100x8000000000000000107947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.023{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Desktop\read_it.txt2023-01-11 14:21:19.019 23542300x8000000000000000107946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.022{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Desktop\read_it.txtMD5=961C194EF480380E359D7E4681AA10FE,SHA256=CA20A1AE7713FBC9B5D93D8FF0EB1FEB9C407CC70DE9EB7AF0AF7A447CD2078E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.021{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Contacts\read_it.txt2023-01-11 14:21:19.021 11241100x8000000000000000107944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.020{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Links\read_it.txt2023-01-11 14:21:19.020 11241100x8000000000000000107943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.019{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Desktop\read_it.txt2023-01-11 14:21:19.019 11241100x8000000000000000107942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.015{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchosts.url2023-01-11 14:21:19.015 734700x8000000000000000107941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.012{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000107940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.012{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000107939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.011{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000107938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.011{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\windows.storage.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=9EFC3C32A8E79CFD4BBB82124A55004E,SHA256=B81FDD83CD5E2D98086CA4432C4DD88AD4C0D7B81C9577F6925856C43DAA5090,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000107937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.010{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000107936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.010{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\shell32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D62656C29B0DDCDF5AF807AB797D471E,SHA256=50114D3B5404D20F3F07B962B02DAF462501F78B305BEB8DCAC836769FC6D228,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000107935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.005{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:19.004{7DAC9CB3-C5DC-63BE-D801-00000000A702}53005748C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+381d10|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2b7465|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c37a4|UNKNOWN(00007FFB143C20A3) 10341000x8000000000000000107989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.997{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 734700x8000000000000000107988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.139{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.139{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.139{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000107985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.139{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000107984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.139{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x8000000000000000107983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-BE89-63BE-1600-00000000A702}1300424C:\Windows\System32\svchost.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000107980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000107979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000107974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000107973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000107972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.126{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.110{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.110{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000107968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.110{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.110{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000107966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.110{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23447124C:\Windows\system32\csrss.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000107965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.110{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000107964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.110{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000107963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.104{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.104{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000107961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.100{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000107960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.097{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000107959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.095{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000107958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:20.095{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=61776A890DC188AEDBD2E603B6BA6293,SHA256=6953C62C0C6FBFC1F7CACFFBEFB17E68D556AF64DB973A2B948CDF77AF7D8C2F,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000107957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:20.035{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x8000000000000000107956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:20.035{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 12241200x8000000000000000107955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:20.018{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance 12241200x8000000000000000107954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:20.018{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance 12241200x8000000000000000107953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:20.018{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance 12241200x8000000000000000107952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:20.018{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance 23542300x800000000000000041539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:21.145{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87569F75845D4FFAF857A40A72ADF16A,SHA256=33F92AA30A707A5ADF4F15D61AC8A83944A4B3BECE5F00BFB2CA088CB119E35D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000108017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.943{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\read_it.txt2023-01-11 14:21:21.943 11241100x8000000000000000108016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.819{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original.jar2023-01-10 10:27:33.080 23542300x8000000000000000108015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.819{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original.jarMD5=0834BCBEED64A313509960EA94C227AE,SHA256=C1CDA82B39FDA2F77C811F42A7A55987ADF37E06A522ED6F28900D77BBD4409F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.337{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.320{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.302{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.296{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.292{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.290{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.242{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.230{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.214{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.191{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000108004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.189{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 11241100x8000000000000000108003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.189{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000108002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.189{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E0756F8D76633031088F6101D3951D,SHA256=AE75D21CB379BD1B37505B103A72C9C9B6F738AE00D42BD59822BB8DE4206AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.188{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B809AE90CC86B54B08D5FF4E8CA215C3,SHA256=635F997A9D99482B667B1F940285DD71D099EE8D6F4627C2E3877294292A5DF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.176{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000107999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.162{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000107998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.132{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000107997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.114{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000107996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.096{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000107995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.088{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.088{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.088{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000107992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000107991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.076{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000107990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:21.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 23542300x800000000000000041541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:22.238{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4508BB4CD342346B46A3D673E0F90C,SHA256=0505005BC22F988FA3FEFFFF51FE742A4AA5A1606354A37477FD8C0D9A755A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.525{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.dbMD5=90028BA73391BCD2BC6C239522423E4F,SHA256=20ECFD9C0F73973F115B98CE4F19952BF042334ECFB694D6DA316190C8092FAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.525{7DAC9CB3-BE88-63BE-0C00-00000000A702}836988C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000108049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.525{7DAC9CB3-BE88-63BE-0C00-00000000A702}836988C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 12241200x8000000000000000108048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 10341000x8000000000000000108040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.525{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000108039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.525{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 12241200x8000000000000000108038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000108031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:22.525{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 11241100x8000000000000000108030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.210{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000108029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.210{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3B260F488CC24B43AA62F9ED4C4DF3,SHA256=6A216CCBF2B3C14B6C1E9D2E940A37915DB5163A8DE5859F56AEE367405DA190,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.208{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.202{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.194{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.190{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.171{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.166{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000108020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000108019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 11241100x8000000000000000108018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:22.039{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db2023-01-11 14:21:22.039 354300x800000000000000041540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:19.733{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50063-false10.0.1.12-8000- 23542300x800000000000000041542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:23.327{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9560B10660AA2F723315B9E47FC5EA,SHA256=3260C3E7C08CE51DC2EF228884451E055051C07447253C05AF4D316017E130B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000108122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.998{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\resources\read_it.txt2023-01-11 14:21:23.998 11241100x8000000000000000108121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.935{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\xmlgraphics\fonts\read_it.txt2023-01-11 14:21:23.935 11241100x8000000000000000108120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.826{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\tools\fontlist\read_it.txt2023-01-11 14:21:23.826 11241100x8000000000000000108119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.826{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\svg\read_it.txt2023-01-11 14:21:23.826 11241100x8000000000000000108118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.826{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\render\rtf\read_it.txt2023-01-11 14:21:23.826 11241100x8000000000000000108117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.810{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\render\ps\read_it.txt2023-01-11 14:21:23.810 11241100x8000000000000000108116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.810{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\render\pdf\extensions\read_it.txt2023-01-11 14:21:23.810 11241100x8000000000000000108115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.794{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\render\pdf\read_it.txt2023-01-11 14:21:23.794 11241100x8000000000000000108114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.794{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\render\pcl\read_it.txt2023-01-11 14:21:23.794 11241100x8000000000000000108113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.794{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\render\bitmap\read_it.txt2023-01-11 14:21:23.794 11241100x8000000000000000108112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.794{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\render\awt\viewer\images\read_it.txt2023-01-11 14:21:23.779 11241100x8000000000000000108111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.779{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\render\afp\read_it.txt2023-01-11 14:21:23.779 11241100x8000000000000000108110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.779{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\render\read_it.txt2023-01-11 14:21:23.779 11241100x8000000000000000108109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.763{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\layoutmgr\inline\read_it.txt2023-01-11 14:21:23.763 11241100x8000000000000000108108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.763{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\layoutmgr\read_it.txt2023-01-11 14:21:23.763 11241100x8000000000000000108107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.748{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\hyphenation\read_it.txt2023-01-11 14:21:23.748 11241100x8000000000000000108106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.748{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\fonts\read_it.txt2023-01-11 14:21:23.748 11241100x8000000000000000108105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.735{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\fo\flow\table\read_it.txt2023-01-11 14:21:23.735 11241100x8000000000000000108104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.735{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\fo\read_it.txt2023-01-11 14:21:23.735 11241100x8000000000000000108103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.718{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\cli\read_it.txt2023-01-11 14:21:23.718 11241100x8000000000000000108102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.702{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\area\read_it.txt2023-01-11 14:21:23.702 11241100x8000000000000000108101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.687{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\afp\read_it.txt2023-01-11 14:21:23.687 11241100x8000000000000000108100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.687{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\accessibility\read_it.txt2023-01-11 14:21:23.687 11241100x8000000000000000108099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.687{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\fop\read_it.txt2023-01-11 14:21:23.687 11241100x8000000000000000108098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.624{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\batik\util\gui\resources\flags\read_it.txt2023-01-11 14:21:23.624 11241100x8000000000000000108097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.609{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\batik\util\gui\resources\read_it.txt2023-01-11 14:21:23.609 11241100x8000000000000000108096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.593{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\batik\swing\svg\resources\read_it.txt2023-01-11 14:21:23.593 11241100x8000000000000000108095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.593{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\batik\swing\resources\read_it.txt2023-01-11 14:21:23.593 11241100x8000000000000000108094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.562{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\batik\extensions\read_it.txt2023-01-11 14:21:23.562 11241100x8000000000000000108093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.515{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\batik\bridge\resources\read_it.txt2023-01-11 14:21:23.515 11241100x8000000000000000108092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.499{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\batik\apps\svgbrowser\resources\read_it.txt2023-01-11 14:21:23.499 11241100x8000000000000000108091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.484{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\org\apache\batik\anim\dom\resources\read_it.txt2023-01-11 14:21:23.484 11241100x8000000000000000108090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.421{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\net\jsign\read_it.txt2023-01-11 14:21:23.421 11241100x8000000000000000108089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.406{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\META-INF\maven\org.apache.james\apache-mime4j-storage\read_it.txt2023-01-11 14:21:23.406 11241100x8000000000000000108088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.406{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\META-INF\maven\org.apache.james\apache-mime4j-dom\read_it.txt2023-01-11 14:21:23.406 11241100x8000000000000000108087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.406{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\META-INF\maven\org.apache.james\apache-mime4j-core\read_it.txt2023-01-11 14:21:23.406 11241100x8000000000000000108086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.406{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\META-INF\maven\commons-logging\commons-logging\read_it.txt2023-01-11 14:21:23.406 11241100x8000000000000000108085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.406{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\META-INF\maven\commons-io\commons-io\read_it.txt2023-01-11 14:21:23.406 11241100x8000000000000000108084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.406{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\META-INF\maven\bitwalker\UserAgentUtils\read_it.txt2023-01-11 14:21:23.406 11241100x8000000000000000108083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.406{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\META-INF\imports\read_it.txt2023-01-11 14:21:23.406 11241100x8000000000000000108082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.406{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\META-INF\read_it.txt2023-01-11 14:21:23.406 11241100x8000000000000000108081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.406{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\license\read_it.txt2023-01-11 14:21:23.406 11241100x8000000000000000108080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.390{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\de\javasoft\plaf\synthetica\standard\xml\read_it.txt2023-01-11 14:21:23.390 11241100x8000000000000000108079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.359{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\de\javasoft\plaf\synthetica\standard\images\read_it.txt2023-01-11 14:21:23.359 11241100x8000000000000000108078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.359{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\de\javasoft\plaf\synthetica\dark\xml\read_it.txt2023-01-11 14:21:23.359 11241100x8000000000000000108077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.327{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000108076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.327{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C228DF048D0F14E708F86EAF4B492B6,SHA256=55F1DE977C078A50C810C6316E16FA89C77A7D491484A45E74223698D6D0CCEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000108075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.296{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\de\javasoft\plaf\synthetica\dark\images\read_it.txt2023-01-11 14:21:23.296 11241100x8000000000000000108074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.296{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\de\javasoft\plaf\synthetica\blueice\xml\read_it.txt2023-01-11 14:21:23.296 11241100x8000000000000000108073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.281{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\de\javasoft\plaf\synthetica\blueice\images\read_it.txt2023-01-11 14:21:23.281 11241100x8000000000000000108072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.281{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\de\javasoft\plaf\synthetica\blackeye\xml\read_it.txt2023-01-11 14:21:23.281 11241100x8000000000000000108071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.237{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\de\javasoft\plaf\synthetica\blackeye\images\read_it.txt2023-01-11 14:21:23.237 11241100x8000000000000000108070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.208{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\view\read_it.txt2023-01-11 14:21:23.208 11241100x8000000000000000108069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.205{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\util\read_it.txt2023-01-11 14:21:23.205 11241100x8000000000000000108068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.204{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\swing\view\read_it.txt2023-01-11 14:21:23.204 11241100x8000000000000000108067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.201{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\swing\util\read_it.txt2023-01-11 14:21:23.201 11241100x8000000000000000108066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.198{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\swing\images\read_it.txt2023-01-11 14:21:23.198 11241100x8000000000000000108065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.197{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\swing\handler\read_it.txt2023-01-11 14:21:23.197 11241100x8000000000000000108064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.194{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\swing\read_it.txt2023-01-11 14:21:23.194 11241100x8000000000000000108063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.193{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\sharing\read_it.txt2023-01-11 14:21:23.193 11241100x8000000000000000108062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.191{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\reader\read_it.txt2023-01-11 14:21:23.191 11241100x8000000000000000108061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.190{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\model\read_it.txt2023-01-11 14:21:23.190 11241100x8000000000000000108060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.187{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\layout\read_it.txt2023-01-11 14:21:23.187 11241100x8000000000000000108059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.186{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\io\read_it.txt2023-01-11 14:21:23.186 11241100x8000000000000000108058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.185{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\canvas\read_it.txt2023-01-11 14:21:23.184 11241100x8000000000000000108057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.184{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\mxgraph\analysis\read_it.txt2023-01-11 14:21:23.184 11241100x8000000000000000108056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.174{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\com\glavsoft\viewer\images\read_it.txt2023-01-11 14:21:23.174 11241100x8000000000000000108055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.142{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\read_it.txt2023-01-11 14:21:23.142 11241100x8000000000000000108054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.142{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\read_it.txt2023-01-11 14:21:23.142 11241100x8000000000000000108053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.102{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client.jar2023-01-10 10:33:00.878 23542300x8000000000000000108052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.102{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client.jarMD5=EAED2576397FE8BCE39DB4E2562AF517,SHA256=3F80A7AC7AE3FCEFF8F7C911087EEC2FB253AA866127D9F993B25FCAF0A36A17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.648{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.643{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.642{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.638{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.637{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.633{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.630{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.628{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.625{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.621{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.606{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.601{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.599{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.587{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.577{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.575{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.552{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.533{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.484{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.476{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.467{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.459{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.453{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.447{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.432{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.424{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 23542300x800000000000000041546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.419{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBB36DD773077B2060D40BA85630FB4,SHA256=352FCD448A2EDD63FC03F0BEA71B9BAB631F2D55A1BC9FF94A2E0DF063B45675,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.416{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.409{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000041543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:24.405{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 734700x8000000000000000109032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.990{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000109031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.990{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000109030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-BE89-63BE-1600-00000000A702}1300424C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000109027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000109026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000109024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000109023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000109022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=9EFC3C32A8E79CFD4BBB82124A55004E,SHA256=B81FDD83CD5E2D98086CA4432C4DD88AD4C0D7B81C9577F6925856C43DAA5090,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000109021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000109020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D62656C29B0DDCDF5AF807AB797D471E,SHA256=50114D3B5404D20F3F07B962B02DAF462501F78B305BEB8DCAC836769FC6D228,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000109019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}43722292C:\Windows\system32\conhost.exe{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000109017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000109015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.974{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000109012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000109006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.961{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000109003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000109002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23442368C:\Windows\system32\csrss.exe{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000109001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000109000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000108999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000108998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000108997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000108995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000108994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000108993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000108992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23443600C:\Windows\system32\csrss.exe{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000108987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5DC-63BE-D801-00000000A702}53006496C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+7664b|C:\Windows\System32\windows.storage.dll+76361|C:\Windows\System32\windows.storage.dll+75fae|C:\Windows\System32\windows.storage.dll+77250|C:\Windows\System32\windows.storage.dll+75cfe|C:\Windows\System32\windows.storage.dll+9ccc5|C:\Windows\System32\windows.storage.dll+9d044|C:\Windows\System32\windows.storage.dll+9c680|C:\Windows\System32\shell32.dll+9e83f|C:\Windows\System32\shell32.dll+9e6cc|C:\Windows\System32\shell32.dll+9e41c|C:\Windows\System32\shell32.dll+11ed57|C:\Windows\System32\shell32.dll+11ecb5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd65|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+633e85|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6893 154100x8000000000000000108986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe"C:\Users\Administrator\AppData\Roaming\svchosts.exe" 10341000x8000000000000000108985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.946{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000108984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.930{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000108983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.930{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B64F110257DBE46CB558CC4C92D2433,SHA256=2E709CD40B6B989F9F8D1FF5B3B46618848155931117A79B47F9F417408C8A04,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000108982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.930{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x8000000000000000108981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.930{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 12241200x8000000000000000108980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.919{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.919{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.919{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.919{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.919{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.906{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\vsswmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI Provider for VSSMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSPROV.DLLMD5=74CBE3C22A64B107AFED820F00B9C98F,SHA256=F907E0CFD0B7B27BCF2D8D5C0D6E4C8E1B962E96C6D611A54B6E6877FDEA8130,IMPHASH=0CACD7A3A6C4A27F7C061428AA9D4886trueMicrosoft WindowsValid 12241200x8000000000000000108965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.917{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.916{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 12241200x8000000000000000108955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.915{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000108954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.911{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E0-63BE-D901-00000000A702}1952C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 734700x8000000000000000108953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.908{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 12241200x8000000000000000108952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.908{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000108951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.908{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 12241200x8000000000000000108950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.906{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.906{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 10341000x8000000000000000108948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.902{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000108947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.901{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000108946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.901{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000108945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.897{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000108944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.881{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.881{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.880{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.879{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000108940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.879{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000108939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.879{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000108938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.879{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000108937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.878{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000108936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.878{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 12241200x8000000000000000108935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.876{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000108934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.876{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000108933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.876{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000108932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.875{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000108931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.875{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000108930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.865{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.863{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.863{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x8000000000000000108915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.820{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msxml3.dll8.110.14393.5127MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=9D77BBEA5D618AC8D5218553D30E51FF,SHA256=E3B966541623884A78A09EA6D36269853B31FE31FB6DF90B48080F13E006F5DC,IMPHASH=A80F24725C5C87DCE74AE4F927273077trueMicrosoft WindowsValid 12241200x8000000000000000108914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.863{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.863{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.863{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.863{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.863{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.863{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.863{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.863{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x8000000000000000108906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.863{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 12241200x8000000000000000108905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.860{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.857{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3,IMPHASH=481A52B415277FC8692C7D6D9EA3475CtrueMicrosoft WindowsValid 734700x8000000000000000108903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.849{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFF,IMPHASH=200200BEAF933FA4627BF83C67BA473EtrueMicrosoft WindowsValid 734700x8000000000000000108902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.842{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 10341000x8000000000000000108901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.841{7DAC9CB3-BE89-63BE-1600-00000000A702}1300424C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.841{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.841{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000108898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.839{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000108897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.832{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wininet.dll11.00.14393.5582 (rs1_release.221130-1719)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=CB2C069BBC0C6F01FCF8B8CC33B759F3,SHA256=20A51841566FBBADEE3D80FA2A5BCA22125CB60AB48D8C07868A0E104557D017,IMPHASH=3A3043B2614699B8AF49F62AD14660B1trueMicrosoft WindowsValid 10341000x8000000000000000108896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.830{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 734700x8000000000000000108895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.830{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000108894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.829{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000108893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.829{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000108892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.828{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000108891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.827{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000108890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.827{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000108889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.826{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000108888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.824{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000108887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.824{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000108886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.824{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000108885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.824{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000108884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.824{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 12241200x8000000000000000108883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.822{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000108882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.820{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 12241200x8000000000000000108881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.820{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.809{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.809{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.808{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.808{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.808{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.807{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.806{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x8000000000000000108857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.805{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 734700x8000000000000000108856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.800{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000108855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.750{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326EtrueMicrosoft WindowsValid 734700x8000000000000000108854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.800{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 12241200x8000000000000000108853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.800{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000108852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.800{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.800{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.800{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x8000000000000000108849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.800{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x8000000000000000108848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.798{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000108847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.798{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1,IMPHASH=69BCD1B17DF0CA323B0C1639784D745BtrueMicrosoft WindowsValid 734700x8000000000000000108846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.793{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000108845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.793{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 10341000x8000000000000000108844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.790{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 12241200x8000000000000000108843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.781{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.779{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.769{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000108840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.766{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.766{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000108838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.762{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000108837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.762{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000108836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.761{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x8000000000000000108835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.760{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 10341000x8000000000000000108831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.760{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000108829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.760{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000108828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.760{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2,IMPHASH=AB84E6F170EE70C2F0F5C709A85E872CtrueMicrosoft WindowsValid 734700x8000000000000000108827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.759{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000108826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.757{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000108825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.757{7DAC9CB3-C5E4-63BE-DB01-00000000A702}28921828C:\Windows\system32\conhost.exe{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.753{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 734700x8000000000000000108823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.753{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000108822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.751{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000108821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.750{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 12241200x8000000000000000108820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 10341000x8000000000000000108813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.749{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 12241200x8000000000000000108812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 10341000x8000000000000000108810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.749{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23445656C:\Windows\system32\csrss.exe{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000108809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.749{7DAC9CB3-C5E4-63BE-DA01-00000000A702}9406032C:\Windows\System32\cmd.exe{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 154100x8000000000000000108805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.744{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic shadowcopy deleteC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete 12241200x8000000000000000108804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.749{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.748{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.748{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.748{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.748{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.748{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.748{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.748{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.748{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.748{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x8000000000000000108793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.746{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.744{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-DF01-00000000A702}5572C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.744{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.742{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 12241200x8000000000000000108789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.740{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000108788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.740{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 734700x8000000000000000108787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.716{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000108786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.716{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000108785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.716{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 734700x8000000000000000108784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.716{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release.220929-2054)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=D5B0BD83918122D5D3AE6C6A01E0FC43,SHA256=EB6FBBEFD6B16EF0CD80356CE1AE6AF87478BBABED8B09BF29356A138782BB5E,IMPHASH=D73DA1D2C74E22057889487739A1CF17trueMicrosoft WindowsValid 734700x8000000000000000108783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.702{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x8000000000000000108782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.716{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 12241200x8000000000000000108781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000108757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.702{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.702{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000108755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.702{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000108754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.702{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 12241200x8000000000000000108753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.702{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000108750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.702{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000108749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.702{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000108748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.702{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000108747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.702{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326,IMPHASH=BAB4B09716AD341771228F16AF6CB4A6trueMicrosoft WindowsValid 12241200x8000000000000000108746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000108727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\swprv.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service software providerMicrosoft® Windows® Operating SystemMicrosoft CorporationSWPRV.DLLMD5=BB18A83DAA37388826E376BA25C41665,SHA256=696B6C4A2458B54CDF878176CF962870FA01E624F504F4D99690F821CDFF8C8B,IMPHASH=85C9A7FB6885E63658BE40D658D042D0trueMicrosoft WindowsValid 12241200x8000000000000000108726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 12241200x8000000000000000108721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 12241200x8000000000000000108719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000108717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x8000000000000000108716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 10341000x8000000000000000108715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-BE89-63BE-1200-00000000A702}4881580C:\Windows\system32\svchost.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3758d|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+52159|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 734700x8000000000000000108714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x8000000000000000108713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000108712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 12241200x8000000000000000108711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.686{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer 10341000x8000000000000000108708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.686{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.653{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\mfcsubs.dll2001.12.10941.16384 (rs1_release.160715-1616)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationMFCSUBS.DLLMD5=5E86F41BCF9EA6B3527D273217C4D4A7,SHA256=8DC0AB5F336FE8DF2FE87DF350C67072C7287F971F3E45917C288A9C0B664EBC,IMPHASH=96EC2FEA777EB0F0B73CC9A2448A9866trueMicrosoft WindowsValid 10341000x8000000000000000108682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.671{7DAC9CB3-BE89-63BE-1200-00000000A702}4881580C:\Windows\system32\svchost.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3758d|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+52159|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 12241200x8000000000000000108681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\ASR Writer 10341000x8000000000000000108680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.671{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.671{7DAC9CB3-BE87-63BE-0A00-00000000A702}6286848C:\Windows\system32\services.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000108677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.671{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.671{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000108675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.671{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000108674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.671{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000108673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.653{7DAC9CB3-BE89-63BE-1200-00000000A702}4881580C:\Windows\system32\svchost.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3758d|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+52159|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 12241200x8000000000000000108672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x8000000000000000108668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.638{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\catsrvut.dll2001.12.10941.16384 (rs1_release.221103-1703)COM+ Configuration Catalog Server UtilitiesMicrosoft® Windows® Operating SystemMicrosoft Corporationcatsrvut.DLLMD5=2F4032B8693945D2C509C0A8213B782A,SHA256=7F1127149C194950539F9925B4BFCF293DF375805CA801A9B6A505216E1A2B01,IMPHASH=D5E2BFCE361310D195CA06EA9E6D2433trueMicrosoft WindowsValid 12241200x8000000000000000108667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.653{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000108644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.653{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 12241200x8000000000000000108643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.653{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\COM+ REGDB Writer 10341000x8000000000000000108642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.653{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.653{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000108640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.653{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.5582 (rs1_release.221130-1719)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=83557C9B0E94FCB9D5181D928563991C,SHA256=11FAEB577FAF552BE4FF2275195CD0B3471228EE56C25D38DE5261BF87DF48BA,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924trueMicrosoft Windows PublisherValid 10341000x8000000000000000108639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.653{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.638{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000108637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.638{7DAC9CB3-BE87-63BE-0A00-00000000A702}6282524C:\Windows\system32\services.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.606{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\fssprov.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft® File Server Shadow Copy ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationFSSPROV.DLLMD5=CA1D17E3A0ABF54000E69D104661A968,SHA256=3ED0BD9CFB6D6089A6F454BF1287A7DB8A4ADFB819CE5F8D52DA435A3F3DCF92,IMPHASH=430F50D6AA61D60A23D372ADC6175EF3trueMicrosoft WindowsValid 12241200x8000000000000000108634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x8000000000000000108610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.638{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.638{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000108608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.638{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.638{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.622{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.592{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 12241200x8000000000000000108604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.592{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\vss_ps.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft® Volume Shadow Copy Service proxy/stubMicrosoft® Windows® Operating SystemMicrosoft CorporationVSS_PS.DLLMD5=676129154F18AFFAFB555F716237E297,SHA256=81CD5E4666301220C3079338731E39C9FAF033D2A2DEF5FF57ED772E5D17261B,IMPHASH=A17FEFC9A91E09EBF9D3185EAB0381BFtrueMicrosoft WindowsValid 12241200x8000000000000000108602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 734700x8000000000000000108582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.561{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release.220929-2054)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=D5B0BD83918122D5D3AE6C6A01E0FC43,SHA256=EB6FBBEFD6B16EF0CD80356CE1AE6AF87478BBABED8B09BF29356A138782BB5E,IMPHASH=D73DA1D2C74E22057889487739A1CF17trueMicrosoft WindowsValid 12241200x8000000000000000108581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} 12241200x8000000000000000108576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.622{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x8000000000000000108575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.622{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exeC:\System Volume Information\RemoteVss\{89300202-3cec-4981-9171-19f59559e0f2}-{F32554AF-9E70-418D-B16E-7F58170EA763}.PMS2023-01-11 14:21:24.622 11241100x8000000000000000108574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.622{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exeC:\System Volume Information\RemoteVss2023-01-11 14:21:24.622 734700x8000000000000000108573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.606{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000108572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.606{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 12241200x8000000000000000108571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.606{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000108536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.529{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\authz.dll10.0.14393.4886 (rs1_release.220104-1735)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=A26BCF0FE442174708AA3DB7602B5A3D,SHA256=18D5690E120DFC6260C6D2E75BD84660824EAAF919B3CDF24C46AA1D18C301EB,IMPHASH=720B221BA6A01692F2370B4CCC197970trueMicrosoft WindowsValid 12241200x8000000000000000108535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 10341000x8000000000000000108523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.592{7DAC9CB3-BE89-63BE-1200-00000000A702}4881580C:\Windows\system32\svchost.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3758d|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+52159|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 12241200x8000000000000000108522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\FSProvider_{89300202-3cec-4981-9171-19f59559e0f2} 734700x8000000000000000108517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.592{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000108516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.592{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 12241200x8000000000000000108515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.592{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x8000000000000000108512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.529{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\bcd.dll10.0.14393.1794 (rs1_release.171008-1615)BCD DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationbcd.dllMD5=8CCF9CCA4EEEC2594793B33F487FD327,SHA256=6C0601675E07083C28199BB7933A2CF5EF3784DC243BD030EB963052C3C4D4CA,IMPHASH=13F6727DFBA0EC436911ACC99667406EtrueMicrosoft WindowsValid 12241200x8000000000000000108511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000108493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.529{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 12241200x8000000000000000108492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.497{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEMD5=C417EA0DC7EF39347AB3AFC6D9CE0A3C,SHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB,IMPHASH=B933B302F069B1ED43D97EAA68CD7B05trueMicrosoft WindowsValid 12241200x8000000000000000108489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exeHKLM\System\CurrentControlSet\Services\VSS\Diag\Registry Writer 10341000x8000000000000000108487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.575{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.575{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.575{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=92CD5DA45ABA4CE45313783FCB345D99,SHA256=B0F20BE2B144056E488F8FF51E266F426625E64E3C91CCD17895A441A0935C46,IMPHASH=7712978A8D93CC3BE5668BB2C1A9F990trueMicrosoft WindowsValid 12241200x8000000000000000108484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.575{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.575{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000108482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.575{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 11241100x8000000000000000108481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.561{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000108480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.561{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7BF9BB5B349EB959AED5DC04A8367C,SHA256=6B1531803C058B0BC58E8031580FB7EC74F6270F85494DED0A7EE8CABD4F126B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000108479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.561{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000108478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.544{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.544{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000108476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.544{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000108475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.544{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000108474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.544{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000108473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.544{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 12241200x8000000000000000108472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.544{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.544{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000108470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.544{7DAC9CB3-BE87-63BE-0A00-00000000A702}6282524C:\Windows\system32\services.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 734700x8000000000000000108448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.434{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\vssapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Requestor/Writer Services API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSAPI.DLLMD5=79EE1F659B982D0A1DE6FDF83B0EE546,SHA256=385A5A18E04BC7CB57899EC700A2AFAC35A37BE3C7DCC9516D38EECF66A5C69A,IMPHASH=7A42644AF0B53C51D0E36668B2E15F8FtrueMicrosoft WindowsValid 12241200x8000000000000000108447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.529{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.529{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000108444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.529{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 734700x8000000000000000108443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.529{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000108442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.529{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000108441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.529{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 734700x8000000000000000108440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.529{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000108439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000108438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000108437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000108436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000108435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000108434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 12241200x8000000000000000108433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.513{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000108431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000108430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000108429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 10341000x8000000000000000108427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.513{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.497{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000108423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.497{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000108422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.497{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000108421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.497{7DAC9CB3-BE87-63BE-0A00-00000000A702}6286848C:\Windows\system32\services.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000108420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.482{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEC:\Windows\system32\vssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C417EA0DC7EF39347AB3AFC6D9CE0A3C,SHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB,IMPHASH=B933B302F069B1ED43D97EAA68CD7B05{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 11241100x8000000000000000108419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.483{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000108418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.483{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9814BFFFF917672E2B5CC33A3C95A0,SHA256=347CE232AFDCD63FB64CF16D40BCBB93812B3608796A60E662A1C5D97E22C52D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.466{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.466{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.466{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.466{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.466{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.466{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.466{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.466{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.466{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.466{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.466{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.466{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.466{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.466{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.434{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\vsstrace.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Volume Shadow Copy Service Tracing LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvsstrace.dllMD5=22660FF9634B3D700133905181361A28,SHA256=2189772DE55B6BE7B4221DBCD781289CD510ED8AA75AE7A45C96EFCCCE3A3B78,IMPHASH=F2BC9D3BB56F1E083F06D69A08E9AE79trueMicrosoft WindowsValid 12241200x8000000000000000108396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.450{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.450{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000108385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.450{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\system32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.450{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\system32\vssadmin.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.450{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 12241200x8000000000000000108382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.434{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000108379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.434{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 12241200x8000000000000000108378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 734700x8000000000000000108359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 12241200x8000000000000000108358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.434{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 12241200x8000000000000000108350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 12241200x8000000000000000108340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000108325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000108324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000108323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 12241200x8000000000000000108322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000108320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000108319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000108318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.406{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\vssadmin.exe10.0.14393.0 (rs1_release.160715-1616)Command Line Interface for Microsoft® Volume Shadow Copy Service Microsoft® Windows® Operating SystemMicrosoft CorporationVSSADMIN.EXEMD5=2964D232005BD840B38F9DB4F95DC7DB,SHA256=4FE71EB779B57354E5600DC31E3DC1875ADC8A06663654AEC83F11109751E8FC,IMPHASH=974DD2AFBD6D9BAE89608D1B181CCCF8trueMicrosoft WindowsValid 734700x8000000000000000108317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000108316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000108315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000108314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000108313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000108312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.419{7DAC9CB3-C5E4-63BE-DB01-00000000A702}28921828C:\Windows\system32\conhost.exe{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.419{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.406{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000108308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.406{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000108307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.406{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000108306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.406{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.406{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.406{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23443600C:\Windows\system32\csrss.exe{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000108303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.406{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.406{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.406{7DAC9CB3-C5E4-63BE-DA01-00000000A702}9406032C:\Windows\System32\cmd.exe{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000108300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.401{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\System32\vssadmin.exe10.0.14393.0 (rs1_release.160715-1616)Command Line Interface for Microsoft® Volume Shadow Copy Service Microsoft® Windows® Operating SystemMicrosoft CorporationVSSADMIN.EXEvssadmin delete shadows /all /quiet C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=2964D232005BD840B38F9DB4F95DC7DB,SHA256=4FE71EB779B57354E5600DC31E3DC1875ADC8A06663654AEC83F11109751E8FC,IMPHASH=974DD2AFBD6D9BAE89608D1B181CCCF8{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete 10341000x8000000000000000108299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.391{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-DC01-00000000A702}4932C:\Windows\system32\vssadmin.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.391{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000108297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.384{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x8000000000000000108296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.375{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000108295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.373{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000108294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.361{7DAC9CB3-BE89-63BE-1600-00000000A702}1300424C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.360{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.359{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 12241200x8000000000000000108291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.354{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 12241200x8000000000000000108277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.354{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.354{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000108266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.352{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000108265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.352{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 12241200x8000000000000000108264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.352{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.352{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000108262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.351{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=9EFC3C32A8E79CFD4BBB82124A55004E,SHA256=B81FDD83CD5E2D98086CA4432C4DD88AD4C0D7B81C9577F6925856C43DAA5090,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000108261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.336{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000108260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.349{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000108259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.349{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D62656C29B0DDCDF5AF807AB797D471E,SHA256=50114D3B5404D20F3F07B962B02DAF462501F78B305BEB8DCAC836769FC6D228,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000108258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.348{7DAC9CB3-C5E4-63BE-DB01-00000000A702}28921828C:\Windows\system32\conhost.exe{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.344{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000108256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.344{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000108255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.344{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000108254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.343{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000108253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.343{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000108252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.343{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000108251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.342{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000108250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.342{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000108249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.342{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000108248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.341{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000108247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.340{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 12241200x8000000000000000108246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.339{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.339{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 12241200x8000000000000000108244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.339{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.338{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 12241200x8000000000000000108242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000108241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000108240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000108239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000108237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x8000000000000000108232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.337{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 12241200x8000000000000000108231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000108222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000108221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000108220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.337{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000108219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.336{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000108218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.330{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 12241200x8000000000000000108217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.334{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.334{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000108215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.333{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23445656C:\Windows\system32\csrss.exe{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000108214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.332{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000108213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.332{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000108212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.332{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000108211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.332{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000108210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.332{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000108209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.330{7DAC9CB3-C5E4-63BE-DB01-00000000A702}2892C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000108208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.328{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000108207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.327{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000108206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.325{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000108205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.324{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000108204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.321{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23443600C:\Windows\system32\csrss.exe{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000108203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.321{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.321{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.321{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.321{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.321{7DAC9CB3-C5DC-63BE-D801-00000000A702}53001008C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+7664b|C:\Windows\System32\windows.storage.dll+76361|C:\Windows\System32\windows.storage.dll+75fae|C:\Windows\System32\windows.storage.dll+77250|C:\Windows\System32\windows.storage.dll+75cfe|C:\Windows\System32\windows.storage.dll+9ccc5|C:\Windows\System32\windows.storage.dll+9d044|C:\Windows\System32\windows.storage.dll+9c680|C:\Windows\System32\shell32.dll+9e83f|C:\Windows\System32\shell32.dll+9e6cc|C:\Windows\System32\shell32.dll+9e41c|C:\Windows\System32\shell32.dll+11ed57|C:\Windows\System32\shell32.dll+11ecb5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd65|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+633e85|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6893 10341000x8000000000000000108198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.319{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000108197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.320{7DAC9CB3-C5E4-63BE-DA01-00000000A702}940C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe"C:\Users\Administrator\AppData\Roaming\svchosts.exe" 734700x8000000000000000108196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.318{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000108195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.317{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 13241300x8000000000000000108194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:24.315{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000108193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:24.315{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x8000000000000000108192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:24.314{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000108191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:24.314{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x8000000000000000108190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.314{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x8000000000000000108189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.313{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000108188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.313{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000108187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.313{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000108186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.312{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x8000000000000000108185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.309{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 12241200x8000000000000000108184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.307{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x8000000000000000108183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.296{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x8000000000000000108182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:24.296{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x8000000000000000108181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.295{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x8000000000000000108180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.293{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x8000000000000000108179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.292{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.291{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000108177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.290{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000108176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.289{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000108175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.288{7DAC9CB3-BE89-63BE-1600-00000000A702}1300424C:\Windows\System32\svchost.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000108174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.287{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000108173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.287{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 11241100x8000000000000000108172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.285{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Public\Desktop\read_it.txt2023-01-11 14:21:24.285 11241100x8000000000000000108171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.285{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Public\Videos\read_it.txt2023-01-11 14:21:24.285 11241100x8000000000000000108170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.284{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Public\Music\read_it.txt2023-01-11 14:21:24.284 11241100x8000000000000000108169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.282{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Public\Pictures\read_it.txt2023-01-11 14:21:24.282 11241100x8000000000000000108168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.282{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Public\Documents\read_it.txt2023-01-11 14:21:24.282 11241100x8000000000000000108167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.281{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Notepad++\userDefineLangs\read_it.txt2023-01-11 14:21:24.279 11241100x8000000000000000108166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.278{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Notepad++\plugins\config\read_it.txt2023-01-11 14:21:24.278 11241100x8000000000000000108165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.276{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Notepad++\read_it.txt2023-01-11 14:21:24.276 11241100x8000000000000000108164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.276{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\d1pesxgf.default\read_it.txt2023-01-11 14:21:24.276 11241100x8000000000000000108163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.234{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4pb8r0af.default-release\settings\read_it.txt2023-01-11 14:21:24.234 11241100x8000000000000000108162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.231{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4pb8r0af.default-release\security_state\read_it.txt2023-01-11 14:21:24.231 11241100x8000000000000000108161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.229{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4pb8r0af.default-release\security_state\data.safe.bin2023-01-10 10:36:22.307 23542300x8000000000000000108160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.228{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4pb8r0af.default-release\security_state\data.safe.binMD5=CADA15CAC98E20A5FAF99C9137F6EBE3,SHA256=291C9B8BE0C6FCA20C20EC71D61EA0097347DB4C5AAB91089C90D88A4BCD3B8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.221{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000108157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000108156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.137{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4pb8r0af.default-release\gmp-widevinecdm\4.10.2557.0\read_it.txt2023-01-11 14:21:24.137 11241100x8000000000000000108155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.137{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4pb8r0af.default-release\datareporting\glean\db\read_it.txt2023-01-11 14:21:24.137 11241100x8000000000000000108154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.124{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4pb8r0af.default-release\datareporting\read_it.txt2023-01-11 14:21:24.124 11241100x8000000000000000108153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.124{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\4pb8r0af.default-release\read_it.txt2023-01-11 14:21:24.124 11241100x8000000000000000108152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.124{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\read_it.txt2023-01-11 14:21:24.124 11241100x8000000000000000108151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.124{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\read_it.txt2023-01-11 14:21:24.124 11241100x8000000000000000108150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.124{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\read_it.txt2023-01-11 14:21:24.124 11241100x8000000000000000108149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.109{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\AccountPictures\read_it.txt2023-01-11 14:21:24.109 11241100x8000000000000000108137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.107{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\read_it.txt2023-01-11 14:21:24.106 11241100x8000000000000000108136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.105{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\read_it.txt2023-01-11 14:21:24.105 11241100x8000000000000000108135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.102{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Videos\read_it.txt2023-01-11 14:21:24.102 11241100x8000000000000000108134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.102{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Searches\read_it.txt2023-01-11 14:21:24.102 11241100x8000000000000000108133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.102{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Favorites\Links\read_it.txt2023-01-11 14:21:24.102 11241100x8000000000000000108132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.102{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Favorites\read_it.txt2023-01-11 14:21:24.101 11241100x8000000000000000108131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.101{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Saved Games\read_it.txt2023-01-11 14:21:24.101 11241100x8000000000000000108130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.100{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Music\read_it.txt2023-01-11 14:21:24.100 11241100x8000000000000000108129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.100{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Pictures\read_it.txt2023-01-11 14:21:24.100 11241100x8000000000000000108128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.099{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobatl-Strike-Tools-cs4.7\read_it.txt2023-01-11 14:21:24.099 11241100x8000000000000000108127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.080{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\resources\fso\read_it.txt2023-01-11 14:21:24.079 11241100x8000000000000000108126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.044{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\resources\cc\white\png\read_it.txt2023-01-11 14:21:24.044 11241100x8000000000000000108125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.044{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\resources\cc\blue\png\read_it.txt2023-01-11 14:21:24.044 11241100x8000000000000000108124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.998{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\resources\cc\black\png\read_it.txt2023-01-11 14:21:23.998 11241100x8000000000000000108123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.998{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeC:\Users\Administrator\Downloads\Cobalt_Strike_4.7_original\cobaltstrike-client\resources\cc\read_it.txt2023-01-11 14:21:23.998 23542300x800000000000000041573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:25.635{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658B856A2511950A25A825975C16FB24,SHA256=5D2CE076FFBA1831582030B8EB86D5D6A9A9C3C5577D9FA740A24AA6B0928A9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000109866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.994{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.994{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.994{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000109860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.935{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\4f21e1ecc93d56d6ec236e637c3557e3\MMCFxCommon.ni.dll10.0.14393.4046MMCFxCommonMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMMCFxCommon.dllMD5=CEBC3CAAB425FEC0CD8C3A98B2E9582D,SHA256=0C13DACDA3F3C634EDB1DA5F5C99AE6FDCF6CC67E590A74E2FDB261385601807,IMPHASH=00000000000000000000000000000000false-Unavailable 12241200x8000000000000000109859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.978{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.978{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.926{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\9157c6fb137f03baa106650aa8f0fac3\MMCEx.ni.dll10.0.14393.4046MMCExMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMMCEx.dllMD5=DC24BCF378EBF3C6EDB60AED6C59938D,SHA256=AB7E8CC28A86F44255DBED39DA909080A40853CE893DDF826B652D6BA01E287B,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.948{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\wintrust.dll10.0.14393.5427 (rs1_release.220929-2054)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=08D10DED9EB96961C46CAAA5CF7A853B,SHA256=AEFEF8E257DC5675CED661217FD560FB963D5E54814FD3E64FB3D3FC129C3073,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x8000000000000000109855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.935{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\msasn1.dll10.0.14393.5501 (rs1_release.221103-1703)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=7439EF264BFDAB9481BEC7876787A5D8,SHA256=D70A6FF54BA7D2C704CDA9DEBE14E93273549F8262B6D35BF5AADC8CFD95B6C3,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000109854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.935{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\crypt32.dll10.0.14393.5427 (rs1_release.220929-2054)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=9D81E28B73EEB3F6B2DC4C9066AAF863,SHA256=50D632854EDA489E5C9513E0B66AC4655DA5311A30728F23C38F967F3D8DB40A,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000109853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.935{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\wldp.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=E0E13482A64635E305045F9EECAF4F53,SHA256=68291C8D8C6C8CDC112A9BA73B28C5C29CD87017E96DBCC5009B9BCDBDDEF326,IMPHASH=BAB4B09716AD341771228F16AF6CB4A6trueMicrosoft WindowsValid 734700x8000000000000000109852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.928{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.928{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 12241200x8000000000000000109850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.927{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.927{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 12241200x8000000000000000109848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.927{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.900{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.900{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.900{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.900{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x8000000000000000109843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.889{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\sxs.dll10.0.14393.5582 (rs1_release.221130-1719)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=F2A8CD581B7D437C69B57A11C3C45E5D,SHA256=43CE351FE5BBF22128A1A60EC5BE4C70B0BC1496AD276FF04A484F7B86921B0A,IMPHASH=1CD4F5164C272A4717A58FD86B640C54trueMicrosoft WindowsValid 12241200x8000000000000000109842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.900{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.899{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.893{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll4.8.4545.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=2FAB64A8785560F3831C0C7A07105E56,SHA256=F511E0987071071C6932C33C02B2C6F3D379482690813FA5212CA5E646068662,IMPHASH=00000000000000000000000000000000false-Unavailable 12241200x8000000000000000109822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.893{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x8000000000000000109816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.874{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 12241200x8000000000000000109815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.891{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.890{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.884{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.873{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 12241200x8000000000000000109795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.883{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.882{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.882{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=06E661551B61E29907B1CF0D4EBB955B,SHA256=E62035FBB0E5259597695708F9B10FDD5D5FF5459D659EAB880FA265E8E8DF2E,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x8000000000000000109771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.880{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 12241200x8000000000000000109770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.879{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.876{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x8000000000000000109768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.876{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 13241300x8000000000000000109767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.876{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\System32\mmc.exeQWORD (0x01d925c7-0xfd1364f5) 12241200x8000000000000000109766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.875{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll 734700x8000000000000000109765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.875{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=3E93DA6D9661961064868E1DC8719674,SHA256=94E0505EFFF30A222546870508A8016D3EABE0F1B05ECC51997153AB9D9188DF,IMPHASH=259C196C67C4E02F941CAD54D9D9BB8AtrueMicrosoft CorporationValid 12241200x8000000000000000109764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.874{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.874{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x8000000000000000109762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.864{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000109761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.859{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A41F84C1D9829567A61A0481244D749,SHA256=B44321BBC414DCBB6D94CD793A9925B47F1A03D81CD9E04D535078445887B186,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000109760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.827{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 734700x8000000000000000109759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.825{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 12241200x8000000000000000109758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.798{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.798{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.798{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.798{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.798{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x8000000000000000109753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.781{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 12241200x8000000000000000109752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.798{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.797{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.794{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.792{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.792{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.779{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 12241200x8000000000000000109730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.790{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.790{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.790{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.790{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.790{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.790{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.790{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.790{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.790{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.790{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.789{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x8000000000000000109707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.781{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.781{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.781{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 12241200x8000000000000000109704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.779{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x8000000000000000109702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.705{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046,IMPHASH=563B6F147961D943E0261E05EAD94B56trueMicrosoft WindowsValid 12241200x8000000000000000109701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.754{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.753{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.753{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.753{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.753{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.753{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.751{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x8000000000000000109678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.739{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000109677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.739{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C211BE7A6D9E531A2BCC79F9F1B67C34,SHA256=9C711D6A78C6B436DF7551709D6FF21734BD6C5B4955DD98212634258A275103,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000109676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.738{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.738{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.735{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.734{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.734{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.734{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.734{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.731{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.670{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\oleacc.dll7.2.14393.5127 (rs1_release_inmarket.220514-1756)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=3737D7B3A07BD11A31CD91B11F7EBA46,SHA256=528C1810C991DD93FA25D6A67A1415BC0A189189AEE0A62C0C79A43AA594E978,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 12241200x8000000000000000109649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.717{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.717{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.717{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.717{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.717{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.717{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.717{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.717{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.717{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.716{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.714{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.623{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\msxml6.dll6.30.14393.5582MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=363A767C5E25B0339472936DAE129AFD,SHA256=805DB1110FB3AE32428BA1233D95954CB46DEC21A95E8B5B90DA96694FB266F3,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x8000000000000000109622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.714{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000109621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.713{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3925E01E00CC6FF3435E0657E78562D0,SHA256=843F42CE8D28816A990ADB0B9393592703F8CE5A4008E5F5513815A2886F973F,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x8000000000000000109620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.712{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x8000000000000000109619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.712{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=C9DBBC2C3A27BB195586C3BC3CDBC198,SHA256=005F60E22A386DB12FA086D7E83DE521B00F69B073D1859E4E13C3F745690638,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x8000000000000000109618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.711{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 734700x8000000000000000109617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.700{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x8000000000000000109616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.688{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 12241200x8000000000000000109615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.686{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000109598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.618{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\mmcndmgr.dll10.0.14393.4169 (rs1_release.210107-1130)MMC Node Manager DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmmcndmgr.dllMD5=DDDF9C3B3B4CCFAAD35BA49B0864608F,SHA256=A8EE05699A2CE04D63D078C33A397ABE8D90AE6BC5F0156230620615B13A2F8B,IMPHASH=51AD9533DC3E1E0CFCFEECD129A51944trueMicrosoft WindowsValid 12241200x8000000000000000109597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.683{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.680{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 354300x8000000000000000109589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:23.990{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52056-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000109588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.658{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000109587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.656{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 12241200x8000000000000000109586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.641{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Microsoft Management Console\Settings 12241200x8000000000000000109585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Microsoft Management Console 12241200x8000000000000000109584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft 12241200x8000000000000000109583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List 12241200x8000000000000000109582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Microsoft Management Console 12241200x8000000000000000109581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft 12241200x8000000000000000109580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List 12241200x8000000000000000109579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Microsoft Management Console 12241200x8000000000000000109578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft 12241200x8000000000000000109577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List 12241200x8000000000000000109576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Microsoft Management Console 12241200x8000000000000000109575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft 12241200x8000000000000000109574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List 12241200x8000000000000000109573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Microsoft Management Console 12241200x8000000000000000109572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.640{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft 13241300x8000000000000000109571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.639{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 734700x8000000000000000109570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.638{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 13241300x8000000000000000109569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.637{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@mmcbase.dll,-14008Folder 13241300x8000000000000000109568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.637{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000109567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.636{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000109566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.636{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000109565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.636{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@%systemroot%\system32\blbuires.dll,-101Perform a backup or recovery of this server. 13241300x8000000000000000109564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.636{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000109563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.635{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@%systemroot%\system32\blbuires.dll,-100Local Backup 13241300x8000000000000000109562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.635{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000109561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.633{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@%systemroot%\system32\blbuires.dll,-1031.0 13241300x8000000000000000109560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.632{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000109559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.632{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@%systemroot%\system32\blbuires.dll,-102Microsoft Corporation (c) 13241300x8000000000000000109558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.632{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000109557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.632{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@%systemroot%\system32\blbuires.dll,-105Backup your important data to a local or online location. 13241300x8000000000000000109556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.632{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000109555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.631{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@%systemroot%\system32\blbuires.dll,-104Windows Server Backup 13241300x8000000000000000109554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.629{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 11241100x8000000000000000109553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.628{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Roaming\Microsoft\MMC2023-01-11 14:21:25.627 10341000x8000000000000000109552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.620{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.620{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.620{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 12241200x8000000000000000109549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.619{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.619{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x8000000000000000109547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.614{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-10 09:30:10.975 23542300x8000000000000000109546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.614{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=38589C7DA50D165D0CE36C3F0A0B83F2,SHA256=BD74B9F38FCBCFADAD39052068F23E1AE6F76430BAB3D871C475BD54E4A7BE6D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000109545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.590{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000109544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.590{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC709CF5FAF24DB13B8D6A5FBA87D83,SHA256=91FA4639EDE0203E8B8820F433AE052B6461AE7A4B4ABA51A7D27A48C1BE5F03,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000109543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.514{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.446{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 12241200x8000000000000000109519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.511{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.492{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.492{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.491{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.490{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.490{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.490{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000109496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.423{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 12241200x8000000000000000109495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.490{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.490{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.490{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.488{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.482{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.482{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.479{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.479{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x8000000000000000109487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.422{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\odbc32.dll10.0.14393.3471 (rs1_release_1.191218-1729)ODBC Driver ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationodbc32.dllMD5=7BE20E672645485F6A3B2E34389344BA,SHA256=B6F6E06CACEE09FB6CC0ACF874477FC9094EA4C14A07FF59B228BDD23C7BF02A,IMPHASH=B6FE10FF835FBB8612CC749787B5472EtrueMicrosoft WindowsValid 12241200x8000000000000000109486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.479{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.479{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.479{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.477{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.477{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.476{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.474{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.456{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000109463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.456{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000109462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.456{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.455{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000109460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.455{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x8000000000000000109459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.450{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000109458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.450{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.450{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000109456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.449{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\windows.storage.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=9EFC3C32A8E79CFD4BBB82124A55004E,SHA256=B81FDD83CD5E2D98086CA4432C4DD88AD4C0D7B81C9577F6925856C43DAA5090,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000109455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.449{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000109454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.449{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\shell32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D62656C29B0DDCDF5AF807AB797D471E,SHA256=50114D3B5404D20F3F07B962B02DAF462501F78B305BEB8DCAC836769FC6D228,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000109453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.447{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 12241200x8000000000000000109452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.438{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.437{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.405{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\mfc42u.dll6.06.8063.0MFCDLL Shared Library - Retail VersionMicrosoft (R) Visual C++Microsoft CorporationMFC42.DLLMD5=DD361EE0A665F41783E02CEA20285E61,SHA256=457BF44CC1BE99FD74983178AC34E83AEC2ED73DFEE9F9FC7F5F501AD8A6D03B,IMPHASH=5407FE666C5FCACC20F969C8CE05D993trueMicrosoft WindowsValid 12241200x8000000000000000109427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.433{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x8000000000000000109425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.430{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000109424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.430{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=61DF20777F4B5F912E842284D08B3A17,SHA256=5780EA1F88C5D6067604C774012AD83DDD3D79426971CFE72F3FF17D3124E33C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000109423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.423{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000109422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.422{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 12241200x8000000000000000109421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.413{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.412{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 734700x8000000000000000109400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.390{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\mmcbase.dll10.0.14393.4169 (rs1_release.210107-1130)MMC Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmmcbase.dllMD5=1C8D01FA2F46DA43580F66690E59F942,SHA256=24E48F93B6050D9DA4D1B93D07FCEA7F15AF8142BA8F4B8CFEF19FA670EB5B4E,IMPHASH=3A0957E0E673BE892DE6FEF53C3A2C7BtrueMicrosoft WindowsValid 12241200x8000000000000000109399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.411{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.409{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.406{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.406{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000109392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.406{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 12241200x8000000000000000109391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.403{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.403{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x8000000000000000109377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.387{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 12241200x8000000000000000109376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.401{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.400{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.398{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.389{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.389{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.361{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exeMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9FtrueMicrosoft WindowsValid 12241200x8000000000000000109348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.388{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.387{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.387{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.387{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.387{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.387{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.387{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.387{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.387{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.387{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.385{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.379{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000109336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.377{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000109335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.375{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.375{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.372{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000109332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.372{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.372{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.371{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.371{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.370{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.369{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.369{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.369{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 12241200x8000000000000000109324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.363{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.363{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 12241200x8000000000000000109322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.363{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.362{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 12241200x8000000000000000109320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.362{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.362{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.362{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000109313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.361{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 12241200x8000000000000000109312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.356{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975E,IMPHASH=EE6E7AA59AC992D3937C01196243C8D7trueMicrosoft WindowsValid 12241200x8000000000000000109305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.361{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.358{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.358{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 12241200x8000000000000000109293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.357{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.356{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.356{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 10341000x8000000000000000109290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.354{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.354{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.354{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.354{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000109286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.289{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\wbadmin.msc" delete catalog -quietC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet 11241100x8000000000000000109285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.348{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000109284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.348{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E451968C06FD95E170EF41E1B46771B4,SHA256=8F8CB457781FDE30ADD02662A2941A6338AE762794F39620541C06D852A7791D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000109283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.322{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000109282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.322{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000109281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.322{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 734700x8000000000000000109280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.281{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000109279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.279{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 13241300x8000000000000000109278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.276{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000109277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.276{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x8000000000000000109276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.275{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000109275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.275{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x8000000000000000109274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.274{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.273{7DAC9CB3-BE87-63BE-0B00-00000000A702}636800C:\Windows\system32\lsass.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.272{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 12241200x8000000000000000109271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.272{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x8000000000000000109270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.270{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.270{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000109268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.269{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000109267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.269{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 12241200x8000000000000000109266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.262{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithList 12241200x8000000000000000109265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.262{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\RegisteredApplications 12241200x8000000000000000109264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.262{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKLM\SOFTWARE\RegisteredApplications 13241300x8000000000000000109263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.262{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithProgids\MSCFileBinary Data 12241200x8000000000000000109262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.262{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithProgids 12241200x8000000000000000109261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.254{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithList 12241200x8000000000000000109260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.253{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\RegisteredApplications 12241200x8000000000000000109259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.253{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKLM\SOFTWARE\RegisteredApplications 13241300x8000000000000000109258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.253{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithProgids\MSCFileBinary Data 12241200x8000000000000000109257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.253{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithProgids 12241200x8000000000000000109256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.253{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc 13241300x8000000000000000109255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.252{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32\mmc.exe.ApplicationCompanyMicrosoft Corporation 13241300x8000000000000000109254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.252{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\system32\mmc.exe.FriendlyAppNameMicrosoft Management Console 734700x8000000000000000109253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.246{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.246{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.245{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000109250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.244{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000109249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.244{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 12241200x8000000000000000109248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.243{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings 12241200x8000000000000000109247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.243{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings 13241300x8000000000000000109246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.242{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\MSCFile_.mscDWORD (0x00000000) 12241200x8000000000000000109245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.242{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 10341000x8000000000000000109244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.241{7DAC9CB3-BE89-63BE-1600-00000000A702}1300424C:\Windows\System32\svchost.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.241{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.240{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 10341000x8000000000000000109241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.239{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.239{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000109239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.238{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.238{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.238{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.237{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.236{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x8000000000000000109234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.236{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 12241200x8000000000000000109233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.235{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 10341000x8000000000000000109232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.235{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.233{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000109230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.232{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.232{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.231{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.230{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000109226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.230{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000109225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.230{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.229{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000109223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.228{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23442368C:\Windows\system32\csrss.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000109222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.228{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000109221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.228{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000109220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.227{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.227{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 734700x8000000000000000109218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.226{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.226{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000109216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.226{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000109215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.226{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000109214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.225{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd52|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.220{7DAC9CB3-BE89-63BE-1600-00000000A702}1300424C:\Windows\System32\svchost.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.220{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.219{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000109210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.218{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.216{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 12241200x8000000000000000109208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.205{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\cmdext.dll10.0.14393.0 (rs1_release.160715-1616)cmd.exe Extension DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCmdExt.DLLMD5=71B9AD2C078C208ED1633DE7DDAA834F,SHA256=44A35F3F5561E722EA1ED9A128BFF127E6086B114678774BC674BC717DD779B4,IMPHASH=03503926F7A6CC110815DF46C0AEFD5FtrueMicrosoft WindowsValid 12241200x8000000000000000109193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.214{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.213{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.213{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.213{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.213{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.213{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.213{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.213{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.213{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000109183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.211{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000109182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.211{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000109181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.211{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.210{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.210{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.210{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.209{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.209{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 12241200x8000000000000000109175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.209{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.209{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.208{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000109172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.208{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000109171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.208{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.207{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000109169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.207{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.207{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.207{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\windows.storage.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=9EFC3C32A8E79CFD4BBB82124A55004E,SHA256=B81FDD83CD5E2D98086CA4432C4DD88AD4C0D7B81C9577F6925856C43DAA5090,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 12241200x8000000000000000109166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.206{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000109164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.206{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\shell32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D62656C29B0DDCDF5AF807AB797D471E,SHA256=50114D3B5404D20F3F07B962B02DAF462501F78B305BEB8DCAC836769FC6D228,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 12241200x8000000000000000109163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.206{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.200{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 13241300x8000000000000000109161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.200{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000109160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.199{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 12241200x8000000000000000109159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.196{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance 12241200x8000000000000000109158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.196{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance 734700x8000000000000000109157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.194{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 12241200x8000000000000000109156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.194{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 12241200x8000000000000000109155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.194{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 12241200x8000000000000000109154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.192{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance 12241200x8000000000000000109153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.191{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance 12241200x8000000000000000109152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.191{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 12241200x8000000000000000109151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.191{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 12241200x8000000000000000109150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.189{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x8000000000000000109149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.189{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 12241200x8000000000000000109148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.188{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x8000000000000000109147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.188{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x8000000000000000109146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.187{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000109145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.183{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000109144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.179{7DAC9CB3-BE89-63BE-1600-00000000A702}1300424C:\Windows\System32\svchost.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.179{7DAC9CB3-BE89-63BE-1600-00000000A702}13001368C:\Windows\System32\svchost.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.179{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000109141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.178{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000109140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.177{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.177{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6C4CAC9EFE57970AC9FF9DC2DC5CAA05,SHA256=B08B80DC5227DF37B5AD26B64A010D2BA1C559CD304F909D30D5D66775FAC590,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000109138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.177{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000109137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.176{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000109136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.176{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=9EFC3C32A8E79CFD4BBB82124A55004E,SHA256=B81FDD83CD5E2D98086CA4432C4DD88AD4C0D7B81C9577F6925856C43DAA5090,IMPHASH=01F0E4F326D0E3F1F46144B212433417trueMicrosoft WindowsValid 734700x8000000000000000109135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.176{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000109134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.176{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D62656C29B0DDCDF5AF807AB797D471E,SHA256=50114D3B5404D20F3F07B962B02DAF462501F78B305BEB8DCAC836769FC6D228,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000109133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.175{7DAC9CB3-C5E5-63BE-E501-00000000A702}46645088C:\Windows\system32\conhost.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.173{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000109131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.172{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.172{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000109129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.172{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.171{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.171{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000109126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.171{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.171{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.170{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.170{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.170{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.169{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000109120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.169{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.169{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.168{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000109117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.167{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000109116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.165{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23442368C:\Windows\system32\csrss.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000109115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.165{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000109114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.164{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000109113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.164{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.164{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000109111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.163{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.161{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000109109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.160{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000109108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.159{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.152{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000109106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.151{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.151{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.151{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.151{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.150{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23443600C:\Windows\system32\csrss.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000109101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.150{7DAC9CB3-C5DC-63BE-D801-00000000A702}53007016C:\Users\Administrator\AppData\Roaming\svchosts.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c373|C:\Windows\System32\windows.storage.dll+7664b|C:\Windows\System32\windows.storage.dll+76361|C:\Windows\System32\windows.storage.dll+75fae|C:\Windows\System32\windows.storage.dll+77250|C:\Windows\System32\windows.storage.dll+75cfe|C:\Windows\System32\windows.storage.dll+9ccc5|C:\Windows\System32\windows.storage.dll+9d044|C:\Windows\System32\windows.storage.dll+9c680|C:\Windows\System32\shell32.dll+9e83f|C:\Windows\System32\shell32.dll+9e6cc|C:\Windows\System32\shell32.dll+9e41c|C:\Windows\System32\shell32.dll+11ed57|C:\Windows\System32\shell32.dll+11ecb5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+58dd65|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f15060e8f3f59f5ab00760f997a36672\mscorlib.ni.dll+633e85|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6893 154100x8000000000000000109100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.150{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quietC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe"C:\Users\Administrator\AppData\Roaming\svchosts.exe" 10341000x8000000000000000109099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.150{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000109098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.136{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x8000000000000000109097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.136{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 13241300x8000000000000000109096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.127{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\system32\bcdedit.exeHKLM\BCD00000000\Objects\{0daf9bba-94c8-11e6-b1fd-0e5bdc9ce43b}\Elements\16000009\ElementBinary Data 12241200x8000000000000000109095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.127{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\system32\bcdedit.exeHKLM\BCD00000000\Objects\{0daf9bba-94c8-11e6-b1fd-0e5bdc9ce43b}\Elements\16000009 10341000x8000000000000000109094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.125{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.125{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.125{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.124{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.120{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\System32\bcdedit.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.120{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\System32\bcdedit.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000109088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.119{7DAC9CB3-C5E4-63BE-E101-00000000A702}43722292C:\Windows\system32\conhost.exe{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.117{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\System32\bcdedit.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000109086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.116{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\System32\bcdedit.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000109085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.115{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\System32\bcdedit.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.115{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\System32\bcdedit.exeC:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exeMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6trueMicrosoft WindowsValid 10341000x8000000000000000109083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.112{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.113{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23442368C:\Windows\system32\csrss.exe{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000109081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.113{7DAC9CB3-C5E4-63BE-E001-00000000A702}49886196C:\Windows\System32\cmd.exe{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000109080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.113{7DAC9CB3-C5E5-63BE-E301-00000000A702}5784C:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {default} recoveryenabled noC:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no 12241200x8000000000000000109079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.104{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.093{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\System32\bcdedit.exeC:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exeMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6trueMicrosoft WindowsValid 12241200x8000000000000000109056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.103{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.101{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x8000000000000000109054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:25.100{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\system32\bcdedit.exeHKLM\BCD00000000\Objects\{0daf9bba-94c8-11e6-b1fd-0e5bdc9ce43b}\Elements\250000e0\ElementBinary Data 12241200x8000000000000000109053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.100{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\system32\bcdedit.exeHKLM\BCD00000000\Objects\{0daf9bba-94c8-11e6-b1fd-0e5bdc9ce43b}\Elements\250000e0 734700x8000000000000000109052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.098{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\System32\bcdedit.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.096{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\System32\bcdedit.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000109050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.096{7DAC9CB3-C5E4-63BE-E101-00000000A702}43722292C:\Windows\system32\conhost.exe{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000109049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.095{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\System32\bcdedit.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000109048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.095{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\System32\bcdedit.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 12241200x8000000000000000109047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.094{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:25.094{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.094{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\System32\bcdedit.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000109044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.092{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.091{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.091{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.091{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000109040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.091{7DAC9CB3-BF8B-63BE-9C00-00000000A702}23443600C:\Windows\system32\csrss.exe{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000109039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.090{7DAC9CB3-C5E4-63BE-E001-00000000A702}49886196C:\Windows\System32\cmd.exe{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000109038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.082{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\System32\bcdedit.exe10.0.14393.5427 (rs1_release.220929-2054)Boot Configuration Data EditorMicrosoft® Windows® Operating SystemMicrosoft Corporationbcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Users\Administrator\AppData\Roaming\ATTACKRANGE\Administrator{7DAC9CB3-BF8D-63BE-B996-0B0000000000}0xb96b92HighMD5=3890A554538E956C56C97B29B08E20B3,SHA256=EC73F9AF0A5AEABDB739F9C50D605EF9942E95794E59A9C023BD5F7D02880F2A,IMPHASH=640CFCF7F00029D52EF0C4D45E2E87A6{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no 10341000x8000000000000000109037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.082{7DAC9CB3-BE89-63BE-1000-00000000A702}1005260C:\Windows\System32\svchost.exe{7DAC9CB3-C5E5-63BE-E201-00000000A702}5064C:\Windows\system32\bcdedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000109036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.077{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000109035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.077{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1044A1988D04CE646E186CA8199FE9,SHA256=A128AA223A7F8936A2C0A8AAD63F6E8488EB55B44B681A33E6CF33638BF2BDF5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000109034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:25.006{7DAC9CB3-C5E4-63BE-E001-00000000A702}4988C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:24.990{7DAC9CB3-C5E4-63BE-E101-00000000A702}4372C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 23542300x800000000000000041574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:26.821{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6268926B7F3AFAE31D05E696189D48,SHA256=445B123F067261A954A11B15934B3C61AB9C63723A0558F5F91AAFDB3A932523,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000110010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:26.937{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 734700x8000000000000000110009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.874{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\593f258c74fed800dfa0d8eaa94b3058\blbwizfx.ni.dll10.0.14393.4046 Microsoft (R) Windows (R) Operating SystemMicrosoft Corporationblbwizfx.dllMD5=CB7E3F14BBACBF40CED97B77B3748536,SHA256=D63705EA4D504F4D3DC8D62247484F30E7752610CA11C7CBF497B73EF2E1FDC5,IMPHASH=00000000000000000000000000000000false-Unavailable 12241200x8000000000000000110008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.925{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.925{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000110006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.874{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\081236d71e624bb84eae0aa75de7dca0\blbmmc.ni.dll10.0.14393.4046 Microsoft (R) Windows (R) Operating SystemMicrosoft Corporationblbmmc.dllMD5=BBE7A3BCE3C0BA0F2A6279E0AC86745A,SHA256=18F964AE86D44977C06A58E65A6C9E6858A917AE187597100DDEFEA58D29C44C,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000110005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.893{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 12241200x8000000000000000110004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.874{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.874{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000110002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.749{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 12241200x8000000000000000110001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000110000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000109981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.639{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\credui.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Credential Manager User InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationcredui.dllMD5=F3EA67955C81EDC0351A4E7418EEEAF4,SHA256=1DC9FF6C665A376789094BF59DCF125A7BE0280D798C74C0853AD1D808104F5D,IMPHASH=4559CD65117B2CEA951EAA739A2320C9trueMicrosoft WindowsValid 12241200x8000000000000000109980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.718{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000109952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.639{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\assembly\GAC_64\blbproxy\v4.0_10.0.0.0__31bf3856ad364e35\blbproxy.dll10.0.14393.4046 (rs1_release.201028-1803)Managed Proxy between LHBackup engine and UIMicrosoft® Windows® Operating SystemMicrosoft CorporationManagedProxy.dllMD5=97C8E61DB9A00244C5D3047F8C59E47F,SHA256=966D71D88823420C43ED6B1172AE4FA6AADF48B271048BADC2A4BD5A00456A8A,IMPHASH=0746B327FFA4FA1457971DD53A4314F6trueMicrosoft WindowsValid 12241200x8000000000000000109951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.702{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.624{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\wsbsnapincommon\d8dbde9bd56745db43b49f0b61f656b5\wsbsnapincommon.ni.dll10.0.14393.4046 Microsoft (R) Windows (R) Operating SystemMicrosoft Corporationwsbsnapincommon.dllMD5=862281416B8C185EC89752983F1639D2,SHA256=5A7D1582CF9F8205E017992F3F87A193F76CAD544327C00D46B322DCA2377CCC,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.702{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5501_none_aec664b1ddd8c519\GdiPlus.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=C8D45154ED70BAC1BEEFD0189370A4BB,SHA256=9F85F30113189576460BAE5BF56327A4E3DB65B84E8933595260DA224C8811E8,IMPHASH=BC747D18CC28DFF374DB67CDCF580B6BtrueMicrosoft WindowsValid 12241200x8000000000000000109945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.692{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.692{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.593{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\62064ab31fcca0276bc2e2f993620346\blbproxy.ni.dll10.0.14393.4046 (rs1_release.201028-1803)Managed Proxy between LHBackup engine and UIMicrosoft® Windows® Operating SystemMicrosoft CorporationManagedProxy.dllMD5=79AD6BFE676691ED209E9145359821A0,SHA256=B969300E8585B019849D7B54B9B4DF58BB7B2123F2543AC597CA66253E4CAB3D,IMPHASH=00000000000000000000000000000000false-Unavailable 12241200x8000000000000000109942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.671{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.562{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\wsbmmc\a69393bf1a31441db5fc8d990f851cf0\wsbmmc.ni.dll10.0.14393.4046 Microsoft (R) Windows (R) Operating SystemMicrosoft Corporationwsbmmc.dllMD5=55FE5C2FBB68BC649994315298946EC8,SHA256=535CF71566D1F73A53F357573B88904CA772ED89794200F3AA40FE13DE9BD529,IMPHASH=00000000000000000000000000000000false-Unavailable 11241100x8000000000000000109939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.664{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeC:\Windows\Logs\WindowsServerBackup\WBEngine.0.etl2023-01-11 14:21:26.664 11241100x8000000000000000109938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.639{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeC:\Windows\Logs\WindowsServerBackup2023-01-11 14:21:26.639 734700x8000000000000000109937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.639{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1,IMPHASH=4CAFDD735088F52AC974373982DCCDF2trueMicrosoft WindowsValid 734700x8000000000000000109936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.639{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 12241200x8000000000000000109935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.639{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.639{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.514{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\2b0459ad3f2eb18974de1cdbc97b02c1\Microsoft.ManagementConsole.ni.dll10.0.14393.4046MMCFxMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ManagementConsole.dllMD5=9C2800BB100B4CEF833B32491E0E7531,SHA256=2411E90534D64B67C56B691D95695111EEF120FAD61AF73221D73B6E64FFA114,IMPHASH=00000000000000000000000000000000false-Unavailable 12241200x8000000000000000109931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000109929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000109928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000109927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000109925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000109914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.452{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6,IMPHASH=291B64B0984CCD3A091CF75D2A111D5DtrueMicrosoft CorporationValid 12241200x8000000000000000109913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000109910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000109909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000109908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.624{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000109906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.608{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.436{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\ee250b1baaf582c7ca2b351f2f3f5e1c\System.Windows.Forms.ni.dll4.8.4556.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=284300B512FE92853D650AAF7654D6BC,SHA256=FE18DCD6BC8C80D5D619EF185396A79DE86D785493BA0D21C66E6D70ADACD959,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.514{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4526.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=1E97AB4809C6F313924374B955C06609,SHA256=0EED3DC3607EC986FFC8BE594A6656D668647DCC84E2158006123A4EBD273B12,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 12241200x8000000000000000109903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.436{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x8000000000000000109901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.407{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000109900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.406{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E421F351F7C9F1A5FE3D7F15549F0684,SHA256=34B60E7775789B29D26F914EFEE2FDBFF50A544F8CEB6B07E762E7D0B199A47C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000109899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.259{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\bf80b8ac55fd40aced1d096250aac172\System.Drawing.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=C20190DA3D4B77A1662F026118F06968,SHA256=61EA726F02F345255C81371B7B124DB2FA9B4234BBE14E4DF8784DB752BD3D89,IMPHASH=00000000000000000000000000000000false-Unavailable 12241200x8000000000000000109898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.342{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.341{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.227{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\bcd5e36ccc17ee2507018f5d1b29e273\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=304F547F46EE61270FFA0DAD2DF6912B,SHA256=37CDD607A795FAB4BE194AB6EACECC81903EC2EC9ED2DDD4C4D24276A01E9F96,IMPHASH=00000000000000000000000000000000false-Unavailable 10341000x8000000000000000109895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.334{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000109894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.334{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000109893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.334{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000109892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.333{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000109891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.333{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000109890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.333{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000109889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.331{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000109888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.331{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x8000000000000000109887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.331{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405872C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 12241200x8000000000000000109886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.227{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.227{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.098{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\756aea5f9a7e26a91ee07676cce5ead5\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6874BA87C64A9BF0F5A5305D25654DE0,SHA256=B624880F49BC068F6766153AD605D4BBAF8ECFDC43A6335C3D2F0464764E9260,IMPHASH=00000000000000000000000000000000false-Unavailable 12241200x8000000000000000109883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000109882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:26.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000109881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.088{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\5973c019b0c7189c85b0900542d5f0ff\System.Core.ni.dll4.8.4590.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=8FD4D1C0E4FE382890C35514BE55E82D,SHA256=5C8462C3B08C87B8670303A35984818B47ACE440906864BD8A9CEEE12C804EAA,IMPHASH=00000000000000000000000000000000false-Unavailable 10341000x8000000000000000109880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.075{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.075{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.075{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.074{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.074{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.074{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E601-00000000A702}4128C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 11241100x8000000000000000109874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.005{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000109873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.005{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2610823217A1BF0AE35FA73CF556A7DD,SHA256=48D98D8692565DC5A689835B83ED1683261F2DF297D434B29C4565DB4F16A7C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000109872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.003{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.003{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.003{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000109867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:26.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.958{7DAC9CB3-BF8E-63BE-A300-00000000A702}44604724C:\Windows\System32\RuntimeBroker.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3758d|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+52159|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 12241200x8000000000000000110120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.958{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000110118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000110117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000110116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 734700x8000000000000000110098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.896{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.Internal.Shell.Broker.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Internal.Shell.Broker.dllMD5=206704E18C5440D09F648C2DEEF16CCA,SHA256=F2D6BF45D3D169DF38D76997C81F14B43912658177850C292A81F41CE83FCD84,IMPHASH=9E3ABA0295C7548C4F5020B4E453434CtrueMicrosoft WindowsValid 12241200x8000000000000000110097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x8000000000000000110095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.896{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000110094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.896{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 12241200x8000000000000000110093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.896{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x8000000000000000110092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db2023-01-11 14:21:27.849 13241300x8000000000000000110091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.849{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.818{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC\22Binary Data 13241300x8000000000000000110069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.818{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.802{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.802{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.802{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101Windows PowerShell ISE 13241300x8000000000000000110065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.802{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.802{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.802{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102Windows PowerShell ISE (x86) 13241300x8000000000000000110062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.802{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.802{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC\21Binary Data 13241300x8000000000000000110060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.786{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.786{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.786{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@C:\Windows\explorer.exe,-6803Devices 13241300x8000000000000000110057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.786{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.786{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.786{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@C:\Windows\explorer.exe,-6801Default Programs 13241300x8000000000000000110054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.786{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.771{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.740{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.724{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.724{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 11241100x8000000000000000110049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.661{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:21:27.661 11241100x8000000000000000110048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.646{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeC:\Windows\Logs\WindowsServerBackup\WBEngine.0.etl2023-01-11 14:21:26.664 11241100x8000000000000000110047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.552{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\system32\mmc.exeC:\Windows\Logs\WindowsServerBackup\WBEngine.0.etl2023-01-11 14:21:26.664 11241100x8000000000000000110046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.364{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.364{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7C74D72519353A23B3C1C6FF464ABD,SHA256=777E3C4EC566B115188CB7B4F2E3C1B70C30429B8890890AC810071C6BD44F9A,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000110044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000110043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000110042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000110041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000110024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.170{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 12241200x8000000000000000110023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.210{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.207{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.171{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.170{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x8000000000000000110017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.109{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000110016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.109{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000110015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:27.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000702F0\VirtualDesktopBinary Data 12241200x8000000000000000110014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:27.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000702F0 734700x8000000000000000110013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.099{7DAC9CB3-C5E5-63BE-E701-00000000A702}1800C:\Windows\System32\mmc.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 11241100x8000000000000000110012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.062{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.062{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1357C7F861A560AC94A9AC4D11227633,SHA256=75B2487AA13296B9F60D6C2A9EEBE286A285058712BBABB0BDF11CE64B9EC73F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.510{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.510{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0BF0878A330973337042539BAE8BA0,SHA256=D4986367D626F053B54D6B46333315FDE5B38F28DBA2AE0B4AC03B86F1A450C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.510{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.510{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C2CA8670F2C5C6ECF06477E2FC64CA,SHA256=3BEDC0E384864BCCFA787F7EB1628023A2D0681347F04F1F4A8BE002FA0EDD0E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.494{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.494{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B851236325A01B32BDE95A6A6744DC39,SHA256=DE453BCDD0AF964CBB6176287F51534BDEF6DD7CBA0F8283282B99D872C285BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:25.741{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50064-false10.0.1.12-8000- 23542300x800000000000000041575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:28.019{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE80D81763729EB4335F334B24759ED,SHA256=94116B7524F4E9025120621A8CD2C1CAD3E62A0270F8D002A55F3D86E419C0B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000110302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.447{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbMD5=CBEB97E47A1B8D33207486564CFA1E36,SHA256=84B1BBAB4114A25E712C75F4A422884D0B71BBFE5AD3EA005BBD671B9B6CCCCB,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000110301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000110300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000110299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000110298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x8000000000000000110284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.276{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42,IMPHASH=F3640F50846C35CCE7151F1E835AE727trueMicrosoft WindowsValid 12241200x8000000000000000110283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.327{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000110273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000110272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000110271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000110258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.164{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 12241200x8000000000000000110257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.307{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000110248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000110247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000110246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x8000000000000000110234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.135{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinui.dll10.0.14393.5582 (rs1_release.221130-1719)TWINUIMicrosoft® Windows® Operating SystemMicrosoft CorporationTWINUI.dllMD5=06FC46FDD6221163A070EA033AF96226,SHA256=C000BA03B8EB26EE3AF167CE93CFB48DF64263DCAA695A80EC85A60A4BCA743D,IMPHASH=B98A56301D4EF217B14C24D92F13B2B4trueMicrosoft WindowsValid 12241200x8000000000000000110233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.291{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.276{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000110224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.188{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 13241300x8000000000000000110223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:28.181{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000110222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:28.181{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x8000000000000000110221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:28.181{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000110220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:28.181{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x8000000000000000110219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:28.180{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x8000000000000000110218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:28.180{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x8000000000000000110217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.179{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 12241200x8000000000000000110216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.179{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x8000000000000000110215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.177{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000110214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.177{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000110213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.177{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\iertutil.dll11.00.14393.5582 (rs1_release.221130-1719)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=4C585A18CCB60D6BB755F249ACFA133C,SHA256=9F2D3C7A6EB6BFAB7EE688FB2F93891BA65BD206933F171139CB1877A147DE94,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000110212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.176{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\urlmon.dll11.00.14393.5582 (rs1_release.221130-1719)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=A99B52D97035B13B4C06366E1ABE05E7,SHA256=4009730BE3CE17F80A98BEB323FFF3626AF02B7EAE64601B2A0BEF8B87145E9F,IMPHASH=B5AFB93FCF976F12D390F994AD9F4967trueMicrosoft WindowsValid 734700x8000000000000000110211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.168{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B9738D6785CE0FF92F87C583E47E50B4,SHA256=EAEB44F64DF50357448460AE57CDFD154A4035B36A519EF868302DE3DD26F16A,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 12241200x8000000000000000110210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.138{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.137{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x8000000000000000110208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.136{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000110207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.136{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=17061020D475E2BCD9FABBE2403F03DB,SHA256=24E48405A73B2C3532A04A910E465FAC6E87B064A40D5ABAFFFF091D1033B3C5,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 12241200x8000000000000000110206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000110205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000110204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000110203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x8000000000000000110202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.036{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\WinTypes.dll10.0.14393.5582 (rs1_release.221130-1719)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=640B21F3FC55657533E73D22FD0C172A,SHA256=9C32A3B29647F0608395A81C9B02256A5AE3A61367FFBCEE278CEB4768FE5A75,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 12241200x8000000000000000110201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.119{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.118{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.101{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.100{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000110180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.100{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x8000000000000000110179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.022{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 12241200x8000000000000000110178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.100{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000110177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.100{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.099{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.098{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.095{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000110156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.074{7DAC9CB3-BF8E-63BE-A300-00000000A702}44606572C:\Windows\System32\RuntimeBroker.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8aa7b|C:\Windows\System32\combase.dll+8bf42|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c05d|C:\Windows\System32\combase.dll+37e9f|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+34356|C:\Windows\System32\combase.dll+33b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000110155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.074{7DAC9CB3-BF8E-63BE-A300-00000000A702}44606572C:\Windows\System32\RuntimeBroker.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8aa7b|C:\Windows\System32\combase.dll+8bf42|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c05d|C:\Windows\System32\combase.dll+37e9f|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+34356|C:\Windows\System32\combase.dll+33b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000110154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.071{7DAC9CB3-BF8E-63BE-A300-00000000A702}44604492C:\Windows\System32\RuntimeBroker.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3758d|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+52159|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 12241200x8000000000000000110153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.064{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000110152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.062{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x8000000000000000110151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.059{7DAC9CB3-BF8E-63BE-A300-00000000A702}44606572C:\Windows\System32\RuntimeBroker.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8aa7b|C:\Windows\System32\combase.dll+8bf42|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c05d|C:\Windows\System32\combase.dll+37e9f|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+34356|C:\Windows\System32\combase.dll+33b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000110150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.059{7DAC9CB3-BF8E-63BE-A300-00000000A702}44606572C:\Windows\System32\RuntimeBroker.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8aa7b|C:\Windows\System32\combase.dll+8bf42|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c05d|C:\Windows\System32\combase.dll+37e9f|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+34356|C:\Windows\System32\combase.dll+33b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 12241200x8000000000000000110149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.059{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000110148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.059{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000110147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.059{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000110146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.059{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.059{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000110144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.059{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x8000000000000000110141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:27.958{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ntoskrnl.exe10.0.14393.5582 (rs1_release.221130-1719)NT Kernel & SystemMicrosoft® Windows® Operating SystemMicrosoft Corporationntkrnlmp.exeMD5=265D0D2747A8B18152BF74216C6D12D2,SHA256=E14F559795C782F269CA151529A15EC2FD2CAD8FD6D7AE4FA9248EE83DC6282C,IMPHASH=28C22BC918D86AD8BBCB5C7E356B4701trueMicrosoft WindowsValid 12241200x8000000000000000110140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.058{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.057{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000110129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.057{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000110128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.057{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000110127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.057{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000110126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:28.056{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x8000000000000000110125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.036{7DAC9CB3-BF8E-63BE-A300-00000000A702}44604724C:\Windows\System32\RuntimeBroker.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b1a|C:\Windows\System32\combase.dll+6d8ed|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3758d|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+52159|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 734700x8000000000000000110124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.036{7DAC9CB3-BF8E-63BE-A300-00000000A702}4460C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 10341000x8000000000000000110123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.022{7DAC9CB3-BF8E-63BE-A300-00000000A702}44606572C:\Windows\System32\RuntimeBroker.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8aa7b|C:\Windows\System32\combase.dll+8bf42|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c05d|C:\Windows\System32\combase.dll+37e9f|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+34356|C:\Windows\System32\combase.dll+33b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000110122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:28.022{7DAC9CB3-BF8E-63BE-A300-00000000A702}44606572C:\Windows\System32\RuntimeBroker.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8aa7b|C:\Windows\System32\combase.dll+8bf42|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c05d|C:\Windows\System32\combase.dll+37e9f|C:\Windows\System32\combase.dll+36c5f|C:\Windows\System32\combase.dll+34356|C:\Windows\System32\combase.dll+33b0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 11241100x8000000000000000110369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.649{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.649{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A9EDBE122C86458790946A670EE178,SHA256=01E4B6629C178D4D44145BCCBEA7E40D1CECB10208BEAE6E29A7EEC5DAC868CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.649{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.649{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93FDBCE72B805E96719A54F4379EC56,SHA256=B8CFC173687E414968ACCE0C8378488E45525DB3653B3E4BCE21C6D92CB9DF24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:29.347{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=863FE028C9FDD81581715CDEBE7F19F0,SHA256=77219829167C93D8C83A1D216BA2700F2C0E3318DDBEB5BC8B7E3D81E3F88A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:29.131{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F31DFA666777BD976D399D2D3CC21E,SHA256=F8B1F694407F3EC8F55ED6196E208A292F77A1B2A552506FB2C002F62ABDEE11,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000110365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.274{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000110364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.274{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000110363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.274{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000110362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000110356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.113{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000110355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.112{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000110354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.111{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000110353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.111{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000110352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.109{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000110351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.109{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000110350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.108{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000110349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.107{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000110348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000110347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000110346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000110345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000110344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000110343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000110342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000110341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000110339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000110338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000110337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000110336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000110335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000110334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000110333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000110332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000110331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000110330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000110329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000110328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000110327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000110326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000110325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000110324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000110323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000110322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000110321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000110320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000110318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000110317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000110315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000110310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.088{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000110309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.089{7DAC9CB3-C5E9-63BE-E801-00000000A702}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:30.230{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65A6FFC562021B34AB350B4F1134B85,SHA256=83A23A8143273C1241F51EC30AD8C7FC3203DC63DADEB0D4FE63665DB87C9E66,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000110423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.746{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000110422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.746{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000110421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.746{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 11241100x8000000000000000110420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.746{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.746{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5898FAF48F95A7B31BE475251C7171D9,SHA256=072607BEBBA80A62622A7FB160213C4BC8AA1CB71CB0B712AB621626CFE52827,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000110418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.746{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000110417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.746{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000110416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.746{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000110415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.746{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000110414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.746{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000110413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.730{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000110412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.730{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000110411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.730{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000110410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.730{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000110409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000110408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000110407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000110406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000110405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000110404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000110403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000110402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000110401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000110400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000110399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000110398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000110397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000110396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000110395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000110394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000110393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000110392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000110391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000110390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000110389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000110388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000110387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000110385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000110383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x8000000000000000110382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000110378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000110375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.715{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000110374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.716{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000110373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.119{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000110372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:30.119{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B64F0E3125BB6D792121AE93D1169C0,SHA256=81BCA5D062A33504D7E5C8A02322BE4034D6C288505C3B2034F33F2067687D4E,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000110371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:30.007{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000110370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:30.007{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x8000000000000000110488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.845{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.845{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3594AB93013E81FA1A6E5B95356AC30,SHA256=F52FA939D44F983B7040C36284632DF770207EEA908D429E595282F22960E7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:31.319{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947AC3EE7BDCE778B5EAB5B6821BF46E,SHA256=AD4F008BD3508590EC7587634C27F33CE7272C014D10EC88259ED9A3F7A8BFD8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000110486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.721{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000110485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.721{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000110484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.721{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000110483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.810{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52057-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000110482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.810{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52057-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 11241100x8000000000000000110481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.626{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.626{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C3330EFF970C4D2019B399F66D8CEA,SHA256=D25318E203E09FA4047097F5DD33520D9A90FF7FAC847A09C595C391188390E6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000110479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.392{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000110478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.380{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000110477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.380{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000110476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.380{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000110475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.380{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000110474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.380{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000110473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.380{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000110472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.380{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000110471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.361{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000110470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.361{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000110469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.361{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000110468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.361{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000110467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.361{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000110466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000110465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000110464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000110463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000110462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000110461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000110460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000110459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000110458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000110457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000110456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000110455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000110454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000110453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000110452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000110451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000110450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000110449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000110448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000110446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000110445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000110444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000110443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000110442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000110441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000110440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000110439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000110437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000110436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000110434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000110429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.345{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000110428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.346{7DAC9CB3-C5EB-63BE-EA01-00000000A702}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000110427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.283{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BC148E7C8E4DD8B7850BF751CCF0FCBA,SHA256=15BEFA72BF34A59401348A61EFBDD8A725BE1A2AA7097CF2A561EEB68426E82F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.139{7DAC9CB3-C5EA-63BE-E901-00000000A702}55443792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.138{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000110424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:31.136{7DAC9CB3-C5EA-63BE-E901-00000000A702}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000110493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:32.909{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:32.909{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE17D14AED4ED45C1644BC980E41048,SHA256=CD471F23D4F45480430A30891186910B81A113C2A4D24D4DED154EA414F1E864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:32.399{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A14C52D496506658E8A8B8A8CB7B41,SHA256=7466CCD5ACC4AE06358D7D792A825E3522A2FBBE41FD615E75C87519AE450332,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000110491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:29.889{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52058-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000110490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:32.167{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000110489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:32.166{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3D88AE656C2B042185EEB138EB0EAE69,SHA256=FC47D32A2FBCB5A2CF1B57BAC6D993279D4F4CF3F513984C75FCA726CACF42A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:33.481{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DB4513999E09416649C61C909EBB19,SHA256=08B62F24EAA425DF6BDD6D4DA0390BD22DF9CDD19B95650CE6EA08E17C390333,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000110544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.596{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000110543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.596{7DAC9CB3-C5ED-63BE-EB01-00000000A702}56845676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.596{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000110541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.581{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000110540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.331{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000110539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.315{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000110538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.315{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000110537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.315{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000110536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.315{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000110535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.315{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000110534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.315{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000110533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.315{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000110532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000110531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000110530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000110529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000110528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000110527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000110526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000110525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000110523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000110522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000110521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000110520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000110519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000110518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000110517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000110516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000110515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000110514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000110513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000110512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000110511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000110510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000110509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000110508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000110507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000110506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000110505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000110503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000110502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000110500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000110495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.299{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000110494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:33.300{7DAC9CB3-C5ED-63BE-EB01-00000000A702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:34.566{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4A2782C253B071F30C689AA2E8D0E6,SHA256=F6599C3E128015D0C2037498CDBC83A95ED172D49F73B93DB44150E4FB4801B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.852{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.852{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C491D98C04E9284EFB94686F82409ED0,SHA256=6852ED8A016EDEFD077F8BB9CF7613E51FD46A6EBDDCA018CDCE9E105E2E47FA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000110651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.742{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000110650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.727{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000110649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.727{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000110648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.727{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000110647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.727{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000110646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.727{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000110645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.727{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000110644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.727{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000110643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.727{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000110642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000110641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000110640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000110639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000110638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000110637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000110635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000110634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000110633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000110632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000110631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000110630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000110629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000110628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000110627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000110626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000110625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000110624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000110623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000110622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000110621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000110620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000110619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000110618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000110617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000110616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000110615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000110610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000110609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000110607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000110605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.711{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000110604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.712{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000110603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.492{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.492{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CD0DCA8692FD42B8304AEBE021E7B7,SHA256=5F500C1956C90D955F43994AF093A4E58B7A13E9978ABF33B2094113E25DB85F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000110601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.308{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000110600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.308{7DAC9CB3-C5EE-63BE-EC01-00000000A702}41804284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.308{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000110598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.308{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000110597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.269{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.269{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.269{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.269{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.268{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000110592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.268{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000110591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.049{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000110590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.049{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000110589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.049{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000110588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.049{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000110587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.049{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000110586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.049{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000110585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.049{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000110584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.049{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000110583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000110582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000110581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000110580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000110579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000110578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000110577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000110576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000110575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000110574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000110572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000110571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000110570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000110569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000110568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000110567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000110566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000110565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000110564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000110563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000110562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000110561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000110560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000110559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000110558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000110557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000110556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000110554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000110553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000110551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000110546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.034{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000110545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.035{7DAC9CB3-C5EE-63BE-EC01-00000000A702}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:31.706{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50065-false10.0.1.12-8000- 23542300x800000000000000041585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:35.671{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6D3A40B6F4953A6A1C540FA23F49B8,SHA256=4886699E644FFAD723EBB5572309B93C5BD796C3A9557BEA5A68BFE914CF9A47,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:35.778{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000110660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:35.778{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7745C8874ACDA71A93312F44BED3E563,SHA256=743D37553D6AAFB485FF9E82EAFB145440AAB9375B2102CA30B6092726A05FE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:35.208{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:35.208{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8309F94D3A8A6BF7FB1F77C50A3D6191,SHA256=B0B37A20708366DBF3E75A69689168A9CE2C7BB263791F6D6D9F0C943ED8BAC9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000110657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:35.022{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000110656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:35.022{7DAC9CB3-C5EE-63BE-ED01-00000000A702}66046724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:35.006{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000110654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:35.006{7DAC9CB3-C5EE-63BE-ED01-00000000A702}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000041586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:36.860{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569F81B248B41AD78AA8ACFCE08A4F5E,SHA256=0FE6FE6FAFD50973FE851AEF122AEE2E37585CD04DF53D3FD3F83C8300443245,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000110716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.806{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000110715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.806{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000110714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.806{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000110713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:34.903{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52059-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000110712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.574{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000110711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.559{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000110710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.559{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000110709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.559{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000110708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.559{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000110707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.559{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000110706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.559{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000110705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000110704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000110703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000110702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000110701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000110700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000110699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000110698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000110697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000110696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000110695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000110694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000110693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000110692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000110691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000110690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000110689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000110688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000110687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000110686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000110685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000110684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000110683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000110682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000110681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000110680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000110679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000110678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000110676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000110675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000110674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000110673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000110672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000110671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000110666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000110665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.543{7DAC9CB3-C5F0-63BE-EE01-00000000A702}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000110664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:36.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74DFF4CDA8FA8CDE05ECD04138E1AB4,SHA256=E30BD5D2A3440F3803B48FB0A40FC9914C869A0F4560AB464CE572D20C873A18,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000110662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:36.060{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 23542300x800000000000000041587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:37.979{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8565A0E1414F575384ED71FDA542C2,SHA256=A37A88DA2DA66CBA905A1D148B081FA986A63E97E4BF3EDF5A2BC4B0E725816F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:37.884{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:37.884{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AC90FD81943FAEBE18BFBBB33B9013,SHA256=0A3B5D0687DC5DFE99C40C790C87E6A1579148B29D45F7A5DB6E693E38DA01CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:37.822{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:37.822{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:37.822{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:37.822{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:37.822{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000110725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:38.912{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:38.912{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C678182304247968E0ABD1A843CC52,SHA256=19871E6AC491676E687C0F5D30E117F7F5252390FF15442B61780D79BFF036EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000110728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:39.996{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2237EA15BCC18979964EFCB63CB4E25,SHA256=6CA69A11A17AF29092FFF571DC4705E2AC04CB7DBB32D6875179592BC6C2F026,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:36.707{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50066-false10.0.1.12-8000- 23542300x800000000000000041588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:39.179{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DFD4FC8BF1C7D20AAF3BE6A9A28E88,SHA256=B5B91A1FE3843189A69530AC89A063ED3499C8A71F0E9E2317FDA4EEF2198FDB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000110727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:39.084{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000110726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:39.084{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 23542300x800000000000000041590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:40.275{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB9E65B17E05552F2A2B0C82EEDDE29,SHA256=01344013B8F5163983BCDC588F608291472F0BA809213956D583E8224730C88B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:39.996{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x800000000000000041591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:41.369{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E2CDD7856E01F0E2DAFDA18A99A016,SHA256=A62F8D380E787937EE1E6B3CA82DFDFD373514AA84336C94D7B1172E18D4C8E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.969{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.967{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.959{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.959{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.954{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.951{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.947{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 354300x8000000000000000110751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:39.909{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52060-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000110750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.347{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.327{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.320{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.316{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.314{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.311{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.273{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.267{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.260{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.235{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.210{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.197{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.190{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.175{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.163{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.150{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000110733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.083{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.082{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5CD2D45991254A92B2A4351B042D7F,SHA256=35A28A7EE5FAF80A2F9E62A489BACA07A38EA26F963B4C20EC609C2A0208519D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.037{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:41.031{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x800000000000000041593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:42.669{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335F4771C04AF5F6DB6A44580437E9AA,SHA256=74F940121F02E10293B432C639DBFEBF4A16084CCF749F04F86AA9EA6D1534CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:42.273{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:42.273{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAFED5793E7DCB9B8170E2181E8FA99,SHA256=06C8C959986087F0B2DA4763C6FB7D9AA3F5B50A71E322C64922222961B39C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:42.353{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=359E6E7281FBB86D4041B9A7CB04E6BF,SHA256=A707EE77B48802032D2FF615A80648BB4EA2302389E02CE922A7DE82472E464C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:43.745{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DA6CE83FFBACEF03B369BEE33A68F3,SHA256=7A774C6B91D4BBC8A760CC256D6B2E21E0A7179542DD5FFE5E8A80B7E7073295,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:43.325{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:43.325{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3191921CE15A440E040C8C18851D3998,SHA256=78171661DA39C709BEAC527F50C8C75E3C75DFFF0EE54789983D5D39B1BD901E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.695{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.694{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.692{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.689{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.684{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.681{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.680{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.680{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.678{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.658{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.637{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.599{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.589{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.573{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.564{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.562{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.559{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.555{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.552{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.550{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.548{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000110767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.456{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.455{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DB37B827AAD335E9CFA93BC460ED17,SHA256=DF565721353BA279B64F7274BF5583D8C6B54869DE3133838F855C79FB6DEDFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.598{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.594{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.592{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.589{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.587{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.583{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.582{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.580{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.578{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.574{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.567{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.563{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.561{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.552{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.542{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.540{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.522{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.513{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.483{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.475{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.467{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.459{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.451{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.445{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.435{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.428{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.421{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.414{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000041595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:44.410{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x8000000000000000110765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.032{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.031{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000110763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:44.030{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 354300x800000000000000041625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:42.694{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50067-false10.0.1.12-8000- 23542300x800000000000000041624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:45.329{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118C0284F9C1A2AAD7BA028EE2241B70,SHA256=6C3249EBAC9EE400F2E37CDDCA56324BB7AE10FAED6E41635118D8E4DEA14EDC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.572{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.572{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F22EF8ACF2446AB7947CEFBFF8F0B0,SHA256=770CEAF696E9AD9C022DB83D35DE4B58767726344B565B7CF324A7C9FDB9469B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000110820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:21:45.154{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c8-0x0891071a) 12241200x8000000000000000110819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000110812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.041{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.041{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.041{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000110809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.041{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.040{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.040{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.040{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.040{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000110798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.040{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000110797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.021{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000110796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.021{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000110795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.021{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000110794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000110793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000110792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:45.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000110791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000110790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000110789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.010{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:46.462{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E42BAD6E0A12F53412D3C48CE917E1B,SHA256=EDC3CF88365411B4D4CD6C41195E74C24131FA408D28991BE91B11F5ECFDE4DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:46.625{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:46.625{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D5D011F0C9D2CFA82F3CFFE7668479,SHA256=DD8DE57FA9583E4C9A4D77C0519A45E69F5836C3366AEB6A0923401B6B4811A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:46.280{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-030MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000110827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:45.907{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52061-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000110826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:47.712{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:47.712{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA38B9090920A0AC02E9C21AC6AE4A1,SHA256=AA955D3A276864501B309D9D18BC5BBF146E1F915B5AB6E4FC7506DFC40C6C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:47.560{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C9FD720FBF108586798382BB57F44F,SHA256=56A7524F53452D2197FE15B1D6751EB6A31C33A7780FCCBEC62BD574E4150A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:47.280{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:48.803{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:48.803{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5C0A651096C05FE4B8EA9B5677660B,SHA256=82B5A9A25204056E4FBF0D8B14B6D788C53FCBAAA9C90A32FCC636D86679486F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:48.657{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE15F4832B43F25FF9077A1E96AED24A,SHA256=57690B254D0B8CF1D95C957EA03DE7EA2CD05C2CAAA595CC04DB5CBA000EFCED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:49.990{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:49.990{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8749FD0EFC81798DCE1659804C7B08,SHA256=C8B6950C6E15488E55D9B73D195197AFADF488D1C65990956323291EB0E7BEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:49.745{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D853EC111E28A08C9751F16FE81BC3,SHA256=FAE8CA441C0FE43C514EB3F25B3F9CB0221AF10B2B57D7C5C0FAC0FE5A760909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:50.827{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813D3B1C272B42018C52A68EA46B001C,SHA256=E4E62642B9B13BFDCF870DCC18C7B9DDD4761B276D4EA9357481D668E9EEA83F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:47.779{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50068-false10.0.1.12-8000- 23542300x800000000000000041634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:51.920{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C49C8AC360D60DB66CE0D938591BD5,SHA256=8F7B683AB195423E846D369EDFD83C72910F8F40C7DF64520864DE9CDFE450D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:51.099{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:51.099{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA100D04A51D040BA1415C4033434073,SHA256=92DFB8C7CB669E510378CD8CE7B67C1A21CAEE526F33799042A60BAC4A9486DF,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000110871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 10341000x8000000000000000110855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:52.474{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:52.474{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:52.474{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000110852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:52.474{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364356C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 12241200x8000000000000000110851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 12241200x8000000000000000110836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:21:52.474{7DAC9CB3-BF8E-63BE-A400-00000000A702}4520C:\Windows\System32\sihost.exeHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications 11241100x8000000000000000110835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:52.184{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:52.184{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30760B459BB0D0DC8B44C26EB4AED3B,SHA256=39E1823AE2D124727642045B6130BFF6ED3FBCE9B4BCDF4A74C2A69E48AC0F5D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:53.501{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:53.501{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A380833F4554DC8B1472D5F8E3A0C1,SHA256=C163AE35643F72756E88A010AE9FEAD713AA5D5626589DBBF2E312CA355B013F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:53.024{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0370F895D008039965E1193C67590EFE,SHA256=C00DA58781ADC41D5909D29E96B95A6C01AA72872A166E90DC0085A41C74A888,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000110872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:50.937{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52062-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000110876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:54.595{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:54.595{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6676C42E9C2FA63E4234A43725E0C7F9,SHA256=528C36085988E130EF96A6CC2D77F2D22E46AAA272222BD04F066014AF649ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:54.119{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DC75F299A40FA1454B128550940114,SHA256=988132C093B1136D6B0EBC281AFDFD186B2BC351CF19F74A39DB4B79AAE20C87,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:55.686{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:55.686{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A530C2FD1999DC848C14C955EAC5D5,SHA256=53F161500863BA2BC137E16FC2C08EA11B543F89F58B32A297B1866800C14AB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:53.757{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50069-false10.0.1.12-8000- 23542300x800000000000000041637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:55.209{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8F523B8467B8165D413EFCED1AE48D,SHA256=04F5F02E936DB61553760F00821277D5951F6D90EC4A5456FFDF53B0D72A73FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:56.784{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:56.784{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB3E8C7D0FCEA1FEFDC4E633CF95FB5,SHA256=2D4E221B373D69FD5235D5E939CC66E63AF8F8CB41933BD82E12EFA907F52CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:56.403{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A45B2A5CE458059A62C1DBE1D2F1C8,SHA256=32E30E7AE298C904F81BA828E75FB5BC74DA1046CBC03AD99691DA447328B87A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:57.877{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:57.877{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955D47568585B6B63A69CFB5485D6FCB,SHA256=728CE67C401B890A5F92DC3FFDEBF02DBDA05E15B9CC5F62F443B814A74F59DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:57.498{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3526DB27262CED18BE4842AD8A7829DB,SHA256=F0165BFF205B7103B7153362D7C1C779B16AAFE60C551FC4D2B23C9A9489B7B6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:57.658{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:21:57.658 11241100x8000000000000000110885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:58.955{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:58.955{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAE89618111173D068B091C18C4A3FF,SHA256=ED0A1551B7ADC632DF4D91A75B052C96245A367ADB3CAEB51BD9A242F3512115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:58.589{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C290BF1F23BBA74F4A3CE21798C9E70,SHA256=E3C186D510FEFA5226300D4D9F1814969EE40B44A029E80819993E13BDFA6C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:58.042{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E6342E263D690BC53D330799D4B6A430,SHA256=60ECD1E513D3285AEE8A43C8905F70A488B0F0ACDBD600937F504A4C6F4356E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:59.681{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF0890E474444AD284ABDFEDB8E78F2,SHA256=5C2C3247A7A5D98104A9DC4A3479E351847747BCFABA849FE8B849756C730B59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000110886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:21:56.960{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52063-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:00.760{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62AA1A1DDABECE138DB2C15E1147C86,SHA256=34C1EF0E731C57F8EB10C070C196D7BCCB9F77563F1626D529EB354BC897A521,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:00.047{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:00.047{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09AC4EB37D46BA44C4BA04F464DDF1D,SHA256=AD1F572CFED6A8227A777E697F0B2C1579C6AC8541DCB45980D6EA070464FA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:01.841{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E92F7B56CD083A9D7D65D178091FBC0,SHA256=39AE750B3D14E9AFA75831DDBEBA7CD7A32E4A9AE8AC715EE93206D8F344CD58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.866{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.864{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.847{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.845{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.839{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.834{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.830{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000110910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.572{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=860A661F5D56B33896FD3892F0748755,SHA256=3ED7F9D4EDC328E09F65CD51667B93AAE6BF9B357595078427E7E88217C443D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.270{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.249{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.244{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.241{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.238{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.174{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.163{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.157{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.137{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.126{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 11241100x8000000000000000110898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.116{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.115{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB9D58BE6F75A4E96CC31C7EE0C0742,SHA256=92D987B3683143B7F8469618EBC4B66D7D30B94C91CF9047180F7650E9E1B36E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.105{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.091{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.078{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.063{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x800000000000000041647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:01.153{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:01.153{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:01.153{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.051{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.043{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:01.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 13241300x8000000000000000110924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:02.858{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000110923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:02.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000110922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:02.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x8000000000000000110921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:02.139{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:02.139{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E873E4E8ECFD02EE6E202A0E655438,SHA256=F7686D7B6492F90129451F90680D2DD66E5DB54FD9C01D0FC93E32170107CF65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:02.139{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-11 13:50:01.763 23542300x8000000000000000110918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:02.139{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=950E13A59B3EAED7EF46363392FE9D98,SHA256=B9ADF18F2A4AA757583A75BF61A163F4AE924FA9B122A8575A57EE81043B5C93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:21:59.710{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50070-false10.0.1.12-8000- 13241300x800000000000000041649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:02.420{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c8-0x12dba007) 10341000x8000000000000000110932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:03.900{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:03.899{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:03.898{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000110929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:03.748{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-030MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000110928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:03.746{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0302023-01-11 14:22:03.746 11241100x8000000000000000110927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:03.745{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0312023-01-11 14:22:03.745 11241100x8000000000000000110926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:03.228{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:03.228{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2E2D50B5AAFA7D22957C4112C1379B,SHA256=6902204027586169CC99233C1A9672463CC8A87C84376ABDFF1AF5182367D9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:03.139{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1163B3B318DA20E25DFC17C55DBE047,SHA256=8995DC70B71187437A788098D5F55E02F7CD29BA1A9ED423E8B12AD931792AAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.780{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.775{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.771{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.766{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.764{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.756{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.755{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.752{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.750{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.743{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.729{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.726{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.717{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.709{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.695{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.689{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.671{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.655{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.616{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.605{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.593{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.579{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.557{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.538{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.482{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.451{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000041655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.443{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.434{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.432{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 23542300x800000000000000041652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5A7D9564D2B49E49B58467E814F5A4,SHA256=843DEEB8E00991E0A13217A44B8BB3B8BFE69F08A271AD09CA163D435EF3E357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000110956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.757{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.541{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.540{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.537{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.535{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.530{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.524{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.523{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.523{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.521{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.506{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.491{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.453{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.441{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.427{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 11241100x8000000000000000110941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.424{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.423{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DFE8B3C00D78A43CA2C78C9AEAB791,SHA256=469E7EEF37871D1DD0E8EE8B0D26FA36469782D88942D129A1D013B09DE9F578,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.421{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.420{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.415{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.412{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.409{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.408{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000110933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:04.405{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000041682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:05.982{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635CAB1D92E290012BFABA9F67D81799,SHA256=02B3AB7B89D6AC5EA136D7E88D33D822CBBCF2867F2370BB810A594761190906,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000110963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:05.979{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000030476\VirtualDesktopBinary Data 12241200x8000000000000000110962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:05.979{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000030476 10341000x8000000000000000110961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:05.979{7DAC9CB3-BF8E-63BE-A600-00000000A702}45804820C:\Windows\System32\taskhostw.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000110960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:05.979{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 11241100x8000000000000000110959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:05.697{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:05.697{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBFE2EB3AF21CE92620960ABABF0AB3,SHA256=2BDCD5D55FEB4C3231BC7620A4CF81B0CE4CEF0B9E76BA805F2D4BD70468F891,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000110957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:02.941{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52064-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000110968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:06.795{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:06.795{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060FBB4873189F625ABDF27C4C7C687D,SHA256=C03E65F4500FA9FAA6F6D3749C031438D05983B1C5A6CAB8383935CA855A7B57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:04.712{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50071-false10.0.1.12-8000- 12241200x8000000000000000110966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:06.010{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths 12241200x8000000000000000110965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:06.010{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Internet Explorer\TypedURLs 12241200x8000000000000000110964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:06.010{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 10341000x800000000000000041688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:07.836{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:07.836{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:07.836{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:07.818{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:07.053{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E82B86554DE3C71B320EE71A8E4B4FE,SHA256=A9B5E5272649B8FC844DB9D0844CCA983CBE2C4ED0EA758FAE6B1465D2F38A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000110969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:07.029{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:08.133{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D94B23B1A6F1D06E08C21126AE04BCB,SHA256=63AF412FDD71DE51967F6F380551C48A88A77BF901B7140F70213C7EA29D0230,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000111002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:08.993{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000111001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:08.993{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.Furyy.EhaQvnybtBinary Data 12241200x8000000000000000111000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:08.837{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 11241100x8000000000000000110999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:08.066{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000110998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:08.066{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAC366AE0C53EE5B56DEE1546CB6BE2,SHA256=D812F47437FA217F12C622488D64D2E45CA920195A873748F33572419E4AD58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:09.516{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:09.346{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56894443A3E8DE14C2F7E71A6DECD1A7,SHA256=1A70839E55F61004680D5A9D70E75C07781F360A62C550EF2C39E1C75CE43FEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000111004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:09.120{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:09.120{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61F6DE5520342D133FBE2BD804496C5,SHA256=2046CDA5FF9593358A3D677F435752F339A3F5B46A0469E21F61F48F7B937079,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C612-63BE-7B01-00000000A802}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C612-63BE-7B01-00000000A802}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.962{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C612-63BE-7B01-00000000A802}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.963{3EE3745C-C612-63BE-7B01-00000000A802}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.431{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E810C5F8111BAA530FB7EB914DC93E2,SHA256=3B82AF0642C5454A11BC0C6190F30193036C0F0BFEF3CFFC0A067B81C749903C,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000111097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 734700x8000000000000000111094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:10.936{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\explorer.exeC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDC,IMPHASH=AB0E9B104017117F7BE18F3C6AAC279AtrueMicrosoft WindowsValid 12241200x8000000000000000111093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000111069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000111068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000111067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000111066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000111065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000111064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000111063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000111062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x8000000000000000111050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:10.936{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\explorer.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D92AABEAF72AB2FB3B2E2F911477039E,SHA256=300FEBB1EFE1EECA4F535A828104A8F4AEF8FC4785A0456B2D8DA76E7EDAFC96,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 12241200x8000000000000000111049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.951{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000111042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.936{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000111041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.936{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x8000000000000000111040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.889{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000030476\VirtualDesktopBinary Data 12241200x8000000000000000111039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.889{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000030476 10341000x8000000000000000111038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:10.873{7DAC9CB3-BF8E-63BE-A600-00000000A702}45804820C:\Windows\System32\taskhostw.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000111037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-DeleteKey2023-01-11 14:22:10.857{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000030476 13241300x8000000000000000111036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.857{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRULista 13241300x8000000000000000111035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.857{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\a%%appdata%%\1 12241200x8000000000000000111034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.857{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 13241300x8000000000000000111033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x8000000000000000111032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell 12241200x8000000000000000111031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33 12241200x8000000000000000111030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x8000000000000000111029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\MRUListExBinary Data 13241300x8000000000000000111028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\NodeSlotDWORD (0x00000021) 13241300x8000000000000000111027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000111026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\MRUListExBinary Data 12241200x8000000000000000111025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 13241300x8000000000000000111024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0Binary Data 13241300x8000000000000000111023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\MRUListExBinary Data 12241200x8000000000000000111022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0Binary Data 13241300x8000000000000000111020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5Binary Data 13241300x8000000000000000111017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000111014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 13241300x8000000000000000111011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.842{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.826{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000111008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.826{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.Furyy.EhaQvnybtBinary Data 354300x8000000000000000111007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:08.905{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52065-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000111006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:10.194{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:10.194{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE82BECC429A863E02789D84F57CAC98,SHA256=7F8FFBAAF8D9B1072667066893472B3878B1FEDA53CB84C1127EC6237D2D376E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C613-63BE-7C01-00000000A802}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C613-63BE-7C01-00000000A802}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.575{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C613-63BE-7C01-00000000A802}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.579{3EE3745C-C613-63BE-7C01-00000000A802}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.513{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F59D05623E542B5F29AA4855C37728,SHA256=EB1C6982E09CE7A847D76026974105A30E35C828F9AAB5B0C513A61F40B556B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000111199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:11.880{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000111198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:11.880{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E02D0C93257085060DF0E046BF8B6A15,SHA256=F33558FE92A33BD617B184D6E38B82DE8D6EF0C844E48AB94889DFA7C3DE5926,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000111197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.529{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.514{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.468{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000204E0\VirtualDesktopBinary Data 12241200x8000000000000000111194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.468{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000204E0 11241100x8000000000000000111193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:11.451{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:11.451{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F53E1CE66CBF09EEA3AD0F480CFF594,SHA256=C23E468CD2ED449AC06F01AB169CD0A5FADB09E42DE54883F2DB3AF8C6741B04,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000111191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.373{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.373{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.294{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.294{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.294{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.294{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x8000000000000000111185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000111166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.283{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\SniffedFolderTypeDocuments 12241200x8000000000000000111165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.250{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance 12241200x8000000000000000111164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.250{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance 12241200x8000000000000000111163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.250{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 12241200x8000000000000000111162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.250{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKCR\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 12241200x8000000000000000111161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.250{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x8000000000000000111160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.250{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 12241200x8000000000000000111159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000111158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000111157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000111156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000111155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000111154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x8000000000000000111148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:11.219{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\explorer.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 12241200x8000000000000000111147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.234{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.219{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000111134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.219{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x8000000000000000111133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.219{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000041711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.170{3EE3745C-C612-63BE-7B01-00000000A802}40082668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.170{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7E79668CB70C5DF98B4309FE6229DBCE,SHA256=FE6C135ED8E04CE6DB30B1DE1BA66904CC48D899CC7701A24053FAA4B930426F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.090{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C612-63BE-7B01-00000000A802}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.088{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C612-63BE-7B01-00000000A802}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:11.088{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C612-63BE-7B01-00000000A802}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 354300x800000000000000041706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:09.092{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50072-false10.0.1.12-8089- 13241300x8000000000000000111132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.063{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\SniffedFolderTypeGeneric 13241300x8000000000000000111131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.063{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7LayoutBinary Data 12241200x8000000000000000111130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.063{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser 12241200x8000000000000000111129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.063{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 13241300x8000000000000000111128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.061{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon\QatItemsBinary Data 13241300x8000000000000000111127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:11.061{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon\MinimizedStateTabletModeOffDWORD (0x00000001) 12241200x8000000000000000111126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.061{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon 12241200x8000000000000000111125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:11.061{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon 12241200x8000000000000000111124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.983{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 12241200x8000000000000000111123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x8000000000000000111122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x8000000000000000111121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x8000000000000000111120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000111119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x8000000000000000111118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 13241300x8000000000000000111105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LockedDWORD (0x00000001) 12241200x8000000000000000111104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar 12241200x8000000000000000111103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x8000000000000000111102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x8000000000000000111101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x8000000000000000111099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x8000000000000000111098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:10.967{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 23542300x800000000000000041742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.911{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967DC1D371F2C9F2F4743ED3A1BAEA1A,SHA256=9A12DB2A491396D701EA610598113F7E148C48CB978192B701E7EF3A1BE3697C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:10.745{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50073-false10.0.1.12-8000- 11241100x8000000000000000111201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:12.437{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:12.437{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934F5ED86D24A9BB5C1641F58A02C906,SHA256=F2C09306A0A0B9D7BC579F6878C8A74CC2C2F1B2885430EF82D3680B97289487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.554{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5B50FB1DE76C18B8EC5BAB36ED18F4A3,SHA256=61F56A2B4017E406E5B13FE73F0833DE7B357E3B1BACB8D0DD18881AF8B432D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.273{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE243B60B3E9D8A13D21A5630662A46A,SHA256=2F42F75A822916544442A430F0582C8586D03850B9B95014DA8165DCBDA65EBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.183{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C614-63BE-7D01-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.179{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.179{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.179{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.179{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.179{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.179{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.179{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.179{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.178{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.177{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C614-63BE-7D01-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.177{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C614-63BE-7D01-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:12.177{3EE3745C-C614-63BE-7D01-00000000A802}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.993{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C615-63BE-7E01-00000000A802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C615-63BE-7E01-00000000A802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.991{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C615-63BE-7E01-00000000A802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.990{3EE3745C-C615-63BE-7E01-00000000A802}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:13.910{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5480873BB91460A038AFEC9A6B0B7455,SHA256=3E1B4178A04B31D1DB8B6D664D12759EA69C19BD8B899CD6DFCB89EFA66A7C57,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000111331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.431{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.431{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.415{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.415{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.415{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.415{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x8000000000000000111325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000111302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.384{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000111301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.353{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000111300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.353{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000111299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.321{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.321{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.306{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.306{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.306{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.306{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000111293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.306{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.306{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000111291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\SniffedFolderTypeGeneric 12241200x8000000000000000111290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000111267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000111266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000111265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000111264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000111263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000111262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000111261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200011) 13241300x8000000000000000111260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000111259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000111258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x8000000000000000111257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000111256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x8000000000000000111255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\33\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x8000000000000000111254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.290{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.274{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.116{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x8000000000000000111233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.116{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ea515421-0000-0000-0000-100000000000} 13241300x8000000000000000111232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.109{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x8000000000000000111231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.109{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell 12241200x8000000000000000111230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.109{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34 12241200x8000000000000000111229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.109{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x8000000000000000111228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.108{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\MRUListExBinary Data 13241300x8000000000000000111227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.108{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\NodeSlotDWORD (0x00000022) 13241300x8000000000000000111226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.108{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000111225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.108{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\MRUListExBinary Data 12241200x8000000000000000111224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.108{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 13241300x8000000000000000111223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.108{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0Binary Data 12241200x8000000000000000111222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.108{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.108{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.108{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.108{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.107{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.106{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.106{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.106{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.106{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:13.106{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:13.106{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 10341000x800000000000000041771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.825{3EE3745C-C616-63BE-7F01-00000000A802}36162324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C616-63BE-7F01-00000000A802}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C616-63BE-7F01-00000000A802}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.653{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C616-63BE-7F01-00000000A802}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.654{3EE3745C-C616-63BE-7F01-00000000A802}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:14.202{3EE3745C-C615-63BE-7E01-00000000A802}11041524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000111492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.983{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.983{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.968{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.968{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.968{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.968{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000111486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.968{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.968{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000111484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.968{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.968{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.968{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\SniffedFolderTypeGeneric 12241200x8000000000000000111480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000111453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000111452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000111451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000111450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000111449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000111448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000111447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000111446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000111445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000111444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x8000000000000000111443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000111442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x8000000000000000111441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x8000000000000000111440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.940{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x8000000000000000111415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ea515421-0000-0000-0000-100000000000} 13241300x8000000000000000111414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x8000000000000000111413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell 12241200x8000000000000000111412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35 12241200x8000000000000000111411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x8000000000000000111410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\MRUListExBinary Data 13241300x8000000000000000111409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\NodeSlotDWORD (0x00000023) 13241300x8000000000000000111408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000111407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\MRUListExBinary Data 12241200x8000000000000000111406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 13241300x8000000000000000111405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0Binary Data 12241200x8000000000000000111404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.778{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 12241200x8000000000000000111354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 13241300x8000000000000000111353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@windows.storage.dll,-34595Pictures 13241300x8000000000000000111347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@windows.storage.dll,-34620Videos 13241300x8000000000000000111345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@windows.storage.dll,-34584Music 13241300x8000000000000000111341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38305Account Pictures 13241300x8000000000000000111336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.562{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.468{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000111334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:14.468{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x8000000000000000111333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:14.036{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:14.036{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D5A742AFF9C82C7A6DF856925AFBAC,SHA256=E78364554090D58091BD48F4617D0D592CE995B779A366143858BBF5FF3473D2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000111539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.185{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.169{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.169{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.169{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 11241100x8000000000000000111535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:15.169{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:15.169{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F324445FB3FD060D965842D0B1980A9,SHA256=B4A703B0492D65879CEBD8D6E0D8AA6274155B35D053CC1F51210158A54EA85B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000111533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:15.154{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:15.154{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B65CA7FA3442EB7A55A669F9442CF2,SHA256=2736BFF6BC4250F9E1A613705F469513C0A31741390D50359DBA1D129366173C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000111531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.138{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.138{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.138{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.138{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x8000000000000000111525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 10341000x800000000000000041792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.368{3EE3745C-C617-63BE-8001-00000000A802}38521020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.274{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C617-63BE-8001-00000000A802}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.274{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C617-63BE-8001-00000000A802}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.274{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C617-63BE-8001-00000000A802}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.274{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C617-63BE-8001-00000000A802}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.274{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C617-63BE-8001-00000000A802}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.274{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C617-63BE-8001-00000000A802}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C617-63BE-8001-00000000A802}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C617-63BE-8001-00000000A802}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C617-63BE-8001-00000000A802}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.153{3EE3745C-C617-63BE-8001-00000000A802}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.151{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24287DD0E6A502E456659A8BFE7E00A,SHA256=4A82C8BAA6E3EC7AD2B8A862D125B5423B904827B0FA92EA35DE7F4FEACAD6BF,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000111513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000111498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.077{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000111497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.061{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000111496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.061{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000040540\VirtualDesktopBinary Data 12241200x8000000000000000111495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:15.061{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000040540 13241300x8000000000000000111494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.031{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000111493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:15.031{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000041806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C618-63BE-8101-00000000A802}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C618-63BE-8101-00000000A802}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.548{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C618-63BE-8101-00000000A802}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.549{3EE3745C-C618-63BE-8101-00000000A802}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:16.195{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44FB1584D1A85794F0D9CCC209F4F3D,SHA256=4EFB845409AB48FFE3D507A11C33B22231D135D0D270A4C2C5AD019BBED21030,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000111566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 354300x8000000000000000111544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:14.879{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52066-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000111543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:16.143{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:16.143{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC6E29C5CF455301E1DDFA39216B4BA,SHA256=4A24BCFA0334627342D27F9B26AFD0DE38FAB5DE750B62398D6F006890738036,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000111541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:16.140{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000111540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:16.140{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:17.681{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B0BA015D275A2FA9A1D058ADEE02DD6,SHA256=BC72ADDA7E952EF39D400319228FEBCDE9029305831536137A00AC8C251AC3AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:17.291{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F9DAFC86AAB6A1B4F8CC61A5B96836,SHA256=9296B67F67B9F58B221C120E8FED3AC314FD605E5A056BD89B8959E90E7FF877,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000111709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:17.449{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:17.449{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A83A14121EAD4D66859DFE36F2F36C4,SHA256=0FA081F05FD99AE9E89278CE195EA88CC1C5CC7B70E46D25DF449ACBA2AD1160,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:15.928{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52067-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 13241300x8000000000000000111706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.324{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.324{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.312{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.312{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.312{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.312{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 12241200x8000000000000000111700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.297{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.296{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.279{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.279{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.279{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.279{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000111669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.279{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000111668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.232{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000111667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.232{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000111666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.201{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.201{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.185{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.185{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.185{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.185{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000111660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.185{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.185{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000111658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\SniffedFolderTypeGeneric 12241200x8000000000000000111657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.154{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000111626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000111625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000111624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000111623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000111622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000111621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000111620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000111619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000111618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000111617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x8000000000000000111616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000111615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x8000000000000000111614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x8000000000000000111613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.139{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.127{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket 12241200x8000000000000000111584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ea515421-0000-0000-0000-100000000000} 13241300x8000000000000000111583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x8000000000000000111582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell 12241200x8000000000000000111581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36 12241200x8000000000000000111580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x8000000000000000111579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\MRUListExBinary Data 13241300x8000000000000000111578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\NodeSlotDWORD (0x00000024) 13241300x8000000000000000111577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000111576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\MRUListExBinary Data 12241200x8000000000000000111575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 13241300x8000000000000000111574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0Binary Data 12241200x8000000000000000111573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:17.000{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:16.985{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 23542300x800000000000000041810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:18.482{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FBE31E9B4D6E8F126AFAAFAFC9A346,SHA256=2F445DFA0AB76DFA29762D1AB336E6CC9E55A8A43A36837747105326F2A86536,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:18.652{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:18.652{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:18.652{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000111889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:18.590{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:18.590{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD15B75662E740490011F2DA85DF5D8C,SHA256=54F41318BD9C00919FA1AD231D24234F6CB478356E2CB4A27E58F11F59E6E514,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000111887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:18.574{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:18.574{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D667EEF015EA505E8F0F4D4D845D4F7,SHA256=F67129B2D565FD9ABDB7A192E5A25F3B23BD6EC009F51C8BD0F8506639B0C8E8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000111885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.418{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.418{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.402{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.402{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.402{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.402{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 354300x800000000000000041809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:15.835{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50074-false10.0.1.12-8000- 12241200x8000000000000000111879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.387{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.371{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.371{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.371{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.371{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.371{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.371{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000111844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.371{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000111843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.324{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000111842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.324{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000111841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.293{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.293{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.277{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000111838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.277{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000111837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.277{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.277{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000111835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.277{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000111834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.277{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000111833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\SniffedFolderTypeGeneric 12241200x8000000000000000111832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000111797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000111796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000111795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000111794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000111793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000111792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000111791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000111790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000111789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000111788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x8000000000000000111787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000111786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x8000000000000000111785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\36\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x8000000000000000111784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.262{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.246{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x8000000000000000111751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell 12241200x8000000000000000111750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37 12241200x8000000000000000111749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x8000000000000000111748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\MRUListExBinary Data 13241300x8000000000000000111747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\NodeSlotDWORD (0x00000025) 13241300x8000000000000000111746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000111745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\MRUListExBinary Data 12241200x8000000000000000111744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 13241300x8000000000000000111743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0Binary Data 12241200x8000000000000000111742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:18.081{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 23542300x800000000000000041811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:19.679{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC3D9FF83B267C3CBB542AC6B813C05,SHA256=4EC2250C826409CD09BA33C8F8001BE166A79DE8062866848A2EFD05B331F961,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000111894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:19.336{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:19.336{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2D2D31CCDCF273DD5BB5CF666EF9FB,SHA256=42139D0B24F71C717FEE87CFE36DB474C3057039AAE5FFECD337EAF13FEF4E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:20.766{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52ACA5CE05FBB4143A4614873021C1FD,SHA256=B12036D397E4C5CB37C315B0B75FC471C7613F49ABC4A53A2327E916A2874912,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000112092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.939{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000112091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.939{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000112090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000112089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000112088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000112087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.923{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 11241100x8000000000000000112086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:20.908{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:20.908{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30A45386F807DBBA63A9041893E74B3,SHA256=24FE025393E6FF49694B82EC2C4404957B15A52E68C35CC4527A425332E7F6C1,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000112084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 12241200x8000000000000000112083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000112082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000112081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000112080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000112079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000112078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000112077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000112076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 12241200x8000000000000000112075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000112074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000112073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000112072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000112071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000112070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000112069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000112068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000112067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000112066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.908{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000112065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 12241200x8000000000000000112064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000112063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000112062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000112061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000112060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000112059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000112058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000112057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 12241200x8000000000000000112056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000112055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000112054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000112053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000112052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000112051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000112050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000112049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000112048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000112047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000112046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\38\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000112045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\38\Shell\SniffedFolderTypeDocuments 13241300x8000000000000000112044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046Internet Shortcut 13241300x8000000000000000112043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.892{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\MuiCache\165\52C64B7E\LanguageListBinary Data 13241300x8000000000000000112042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.861{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000112041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.861{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 13241300x8000000000000000112040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.830{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000112039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.830{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000112038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.830{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane\ExpandedStateBinary Data 12241200x8000000000000000112037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.830{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane 13241300x8000000000000000112036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.830{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000112035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.830{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000112034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.830{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner\ProperTreeModuleInnerBinary Data 12241200x8000000000000000112033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.830{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner 13241300x8000000000000000112032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\38\Shell\SniffedFolderTypeGeneric 12241200x8000000000000000112031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 12241200x8000000000000000112030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000112029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000112028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000112027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000112026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000112025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000112024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000112023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 12241200x8000000000000000112022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000112021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000112020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000112019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000112018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000112017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000112016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000112015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000112014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000112013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000112012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 12241200x8000000000000000112011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000112010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000112009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000112008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000112007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000112006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000112005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000112004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 12241200x8000000000000000112003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000112002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000112001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000112000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirectionDWORD (0x00000001) 13241300x8000000000000000111992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PIDDWORD (0x00000000) 13241300x8000000000000000111991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000111990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupViewDWORD (0x00000000) 13241300x8000000000000000111989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfoBinary Data 13241300x8000000000000000111988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\SortBinary Data 13241300x8000000000000000111987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSizeDWORD (0x00000010) 13241300x8000000000000000111986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000111985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewModeDWORD (0x00000001) 13241300x8000000000000000111984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ModeDWORD (0x00000004) 13241300x8000000000000000111983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid{137E7700-3573-11CF-AE69-08002B2E1262} 13241300x8000000000000000111982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlagsDWORD (0x41200001) 13241300x8000000000000000111981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\RevDWORD (0x00000000) 12241200x8000000000000000111980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\37\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} 12241200x8000000000000000111979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.798{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 12241200x8000000000000000111961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 12241200x8000000000000000111953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.783{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 13241300x8000000000000000111943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\38\Shell\KnownFolderDerivedFolderType{57807898-8C4F-4462-BB63-71042380B109} 12241200x8000000000000000111942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\38\Shell 12241200x8000000000000000111941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\38 12241200x8000000000000000111940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags 13241300x8000000000000000111939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0\MRUListExBinary Data 13241300x8000000000000000111938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0\NodeSlotDWORD (0x00000026) 13241300x8000000000000000111937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 13241300x8000000000000000111936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\MRUListExBinary Data 12241200x8000000000000000111935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0 13241300x8000000000000000111934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0\0Binary Data 12241200x8000000000000000111933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 12241200x8000000000000000111927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 12241200x8000000000000000111926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 12241200x8000000000000000111906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0\0 12241200x8000000000000000111905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0\0 12241200x8000000000000000111904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0\0 12241200x8000000000000000111903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0\0 12241200x8000000000000000111902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0\0 12241200x8000000000000000111901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5\0 13241300x8000000000000000111900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data 12241200x8000000000000000111899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\5 13241300x8000000000000000111898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data 12241200x8000000000000000111897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:20.454{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU 11241100x8000000000000000111896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:20.423{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000111895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:20.423{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F0DEDFE24E0DF60022CBF9882C1220,SHA256=32D86D8849B6BBE0B8FE6879CB3250DD5D5B5B6D59AE859E8FE53A64AB152B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:21.984{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C4F654CB5D269A9056EA948666F3DC,SHA256=7D51E75E32C0337D3932FB80BF72A84C6F59BE00FE2A1ED09512E57DA4D4E0D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.865{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.864{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.850{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.847{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.841{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.838{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.829{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000112115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.741{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.740{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8B70FC1FF482D3A38F411730124AE2,SHA256=D6CB588BF9856F122BB684E710036CA956D02750E7008624633A1262177D50CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.311{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.299{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.290{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.285{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.283{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.279{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.239{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.230{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.218{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.202{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.150{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.139{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.122{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.108{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000112097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.095{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000112096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.095{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51B74DDEF0311A0785DA547FC5B424F3,SHA256=6C888B6F16DE429C02DB41D4A25C140026BA453A0F262D97BFC0A23B985E94AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.092{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:21.000{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000112125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:22.809{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:22.809{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1421A824DC2D04A40215670FD1F481F9,SHA256=B1B0E1696477549A9B5340A0E42D80FCFB6FAB87CCBE5B319FE541CCF697F71E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:20.835{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52068-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000112130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:23.910{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:23.910{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77263EF9F2B1E5379A8900831ABD119A,SHA256=F20E6736F6908ECC59E00B8A55C7448C6E3817F7219FF77BB6A3BA71AF0D1467,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:23.904{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:23.903{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:23.901{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 354300x800000000000000041815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:21.837{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50075-false10.0.1.12-8000- 23542300x800000000000000041814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:23.166{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5770724446FABE60D73E27F4A28C9593,SHA256=D958140D62E458800921D3354157E58A50884FF28B2DE92D93A0BC19BD26F7C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.984{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.984{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6BCAC4490B10475E1808844313045B,SHA256=883411AF57078F0ACA37EA7A593E064C9F562BF6347C3EE341E54061C5F5AA2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.655{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.647{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.644{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.641{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.640{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.637{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.636{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.634{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.630{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.625{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.615{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.611{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.605{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.587{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.571{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.566{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.545{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.527{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.499{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.487{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.478{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.466{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.460{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.454{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.444{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.435{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.427{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.417{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.413{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 23542300x800000000000000041816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:24.262{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71E15D14222F79D7E73DACFEB87EC53,SHA256=563E822FFA2528E4C42B55DBDB031073A84A4AB6B3D50D9F0929964645DED4BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.537{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.535{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.533{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.530{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.527{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.525{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.524{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.523{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.522{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.505{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.494{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.461{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.452{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.441{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.435{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.433{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.429{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.426{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.423{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.422{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000112131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:24.420{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 23542300x800000000000000041846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:25.544{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F78850F03E8F5827C9F9840849AA016,SHA256=B7457B3C4B80D57517967F5D9EF72177E78C1851FAE176A6F30054E50456CB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:26.644{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16182176C021D92955C886527DFF3D84,SHA256=37D244C250217EF8B148CE979D2261EFCE0C39AC16532E000B09A84BCD8007CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:26.072{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:26.072{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B83C349FD1D57B4179A620F9F30E500,SHA256=8DD11046FAC792F9BDBEC9D0C926F2E5CA65668ABDCCF22FB0C7B5AA6007913F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:27.731{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD14B16597E4C3689EE8C46787353A64,SHA256=BDD34FD1869D0196F961E3903141DC0E90A0D6AE11BE1CC187B537A060C2A48E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:25.843{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52069-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000112158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:27.654{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:22:27.654 11241100x8000000000000000112157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:27.166{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:27.166{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12775C18CAABCE1F45A8CF08037947F,SHA256=707B95F0EAE7B8FDD32911711BCA1478D7BA03B3907EF42DFDC5B44F62520379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:28.825{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8ED0E202CFF558280AB0E6E7C59B75,SHA256=1913B8B04DC928C5B9A2DA49AB47DBD979BFFCE65DF01B7F27B7F381BB2C9433,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:28.283{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:28.282{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDE36A559F33AD1C9DA8B5ADE3E4D66,SHA256=27E62D1838027DBB3636C9C45568F32BE2B60D678A42898A328343A1D19FF52C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.885{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.885{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6061C23DBB178B17884F6E47B54146,SHA256=8F33CCEC9AB5D730E159F31C775112A590750891C9B6388557B9F6B9715DB3B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:27.833{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50076-false10.0.1.12-8000- 734700x8000000000000000112212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.268{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000112211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.268{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000112210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.268{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000112209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.098{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000112208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.098{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000112207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.098{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000112206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.098{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000112205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.098{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000112204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.098{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000112203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.098{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000112202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.098{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000112201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000112200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000112199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000112198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000112197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000112196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000112195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000112194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000112192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000112191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000112190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000112189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000112188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000112187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000112186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000112185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000112184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000112183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000112182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000112181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000112180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000112179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000112178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000112177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000112176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000112175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000112174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000112173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000112171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000112170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000112169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000112167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000112163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000112162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.083{7DAC9CB3-C625-63BE-EF01-00000000A702}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:30.026{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF91BEBF10CF89AD06984064A2E7DA8,SHA256=1F9ED641F34EF1E69CEBD3319E64A3D1EDAC7081FA9F02818D65FFFBF6E42CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.821{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2A471D5CCEF640AA6411913C093455BD,SHA256=3351B32767C3A7EA27FA1FA8C6C0BC75EAA48D4D7B54399929F8BABACCB4DC6B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000112266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.759{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000112265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.759{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000112264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.759{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000112263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.759{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000112262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.743{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000112261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.743{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000112260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.743{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000112259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.743{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000112258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.743{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000112257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000112256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000112255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000112254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000112253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000112252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000112251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000112250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000112249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000112248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000112247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000112246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000112245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000112244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000112243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000112242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000112241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000112240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000112239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000112238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000112237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000112236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000112235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000112234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000112233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000112232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000112230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000112228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000112227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000112225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000112220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000112219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.728{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000112218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.134{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000112217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.134{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAE8DA6D97B8ED433EF14C7130F360EB,SHA256=922B23C9060A8B10C8F2E14059230B669AD3ABC2048F72AAC810879EB88151B5,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000112216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:30.023{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000112215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:30.023{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000041852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:31.219{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261CC91FA89C1DD1FBFCAE4E2DC978A9,SHA256=B87F2AED45BB1E8AD96B234562F4617B1A7397176FBCBBC96D1AB5AA7213EB41,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.767{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.767{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C9B54EE9DC13013C57A31ADA0B0A32,SHA256=9E919530AFF29537C6F3C56A95A817F89FCE78C8FAFDF32BBE18F8AF7B82C459,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000112332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.751{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000112331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.751{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000112330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.751{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000112329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.642{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000112328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.642{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=84D674A150A5B1282F94D25FD54DCDD3,SHA256=CE617B0F6A4D617BF60D719900B0DF30FC73A68BA486198AB777F47B8DFF27AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.588{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000112326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.587{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000112325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.587{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 11241100x8000000000000000112324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.348{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.348{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6CDCFC7E59EFEDBBE55B04FF1C19CB,SHA256=170042B0F2A392F3315CB56E0E9BA12A2949434E8276C4C62150EC1C89480EF5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000112322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.286{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000112321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.286{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000112320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.286{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000112319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.270{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000112318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.270{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000112317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.270{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000112316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.270{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000112315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.270{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000112314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.254{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000112313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.254{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000112312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000112311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000112310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000112309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000112308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000112307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000112306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000112305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000112304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000112303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000112302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000112301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000112299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000112298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000112297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.239{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000112296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000112295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000112294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000112293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000112292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000112291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000112290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000112289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000112288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000112287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000112286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000112285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000112284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000112283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000112282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000112280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x8000000000000000112279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000112275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000112272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.223{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000112271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.224{7DAC9CB3-C627-63BE-F101-00000000A702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000112270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.993{7DAC9CB3-C626-63BE-F001-00000000A702}57045624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.993{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000112268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:30.993{7DAC9CB3-C626-63BE-F001-00000000A702}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000041853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:32.312{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77772690ECB289872A8DAD83D6CF0522,SHA256=098ECDE53344EC97AC15D8052254DF1FBD07FF24C6FF71818192A68FBFC246BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.825{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52070-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000112337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:29.825{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52070-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 11241100x8000000000000000112336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:32.079{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:32.079{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE8AD815071D6E72772EBB2A6EF5AB1,SHA256=1C64409FC359BB9E01986AE679818EE7B5977AACBE14E8F76DEAB16C32465C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:33.410{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DE50D805013C5B6177725FC9950FB7,SHA256=6B03E787056EAD6CDAB8EAE590BBFE4742D44F615C048B98E364E3C141007BB6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000112394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:33.770{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000112393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:22:33.770{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 734700x8000000000000000112392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.594{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000112391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.591{7DAC9CB3-C629-63BE-F201-00000000A702}41201856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.591{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000112389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.591{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000112388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.306{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000112387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.306{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000112386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.291{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000112385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.291{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000112384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.291{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000112383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.291{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000112382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.291{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000112381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.275{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000112380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000112379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000112378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000112377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000112376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000112375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000112374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000112373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000112371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000112370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000112369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000112368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000112367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000112366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000112365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.259{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000112364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000112363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000112362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000112361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000112360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000112359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000112358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000112357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000112356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000112355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000112354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000112353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000112351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000112350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000112348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000112343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.244{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000112342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.245{7DAC9CB3-C629-63BE-F201-00000000A702}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000112341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.175{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:33.174{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA29252FC7C5D6A847A2C4AB135EA97,SHA256=B93DE5CF3F579ACC0BD8D38D8EEA37F5EEB45DDB7BB42DD723B507D4BB29F487,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:31.025{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52071-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:34.511{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0293070218712C66F8B592480F3A46,SHA256=24B1C532C6F61CEAB90834B05EBCDC16C3409C8483F09FB5A8FCF9A7CC24C4F2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000112448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.478{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000112447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.478{7DAC9CB3-C62A-63BE-F301-00000000A702}40045028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.455{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000112445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.455{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000112444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.377{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.377{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8ED5B52692F45BBF2B5403489EB6C44,SHA256=F2315BEDE9CE5BBFA1899CA7AB121F2015B37428B9BF3D13D76E0CBA484FC438,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000112442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.158{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000112441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.158{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000112440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.158{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000112439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.143{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000112438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.143{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000112437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.143{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000112436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.143{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000112435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.143{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000112434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.143{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000112433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.143{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000112432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.143{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000112431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000112430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000112429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000112428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000112427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000112426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000112424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000112423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000112422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000112421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000112420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000112419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000112418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000112417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000112416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000112415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000112414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000112413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000112412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000112411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000112410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000112409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000112408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000112407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000112406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000112404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000112403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000112402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000112399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000112396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.131{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000112395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:34.132{7DAC9CB3-C62A-63BE-F301-00000000A702}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:33.674{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50077-false10.0.1.12-8000- 23542300x800000000000000041856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:35.600{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B839911CECEC49DF1E4D2BB09BD2348,SHA256=7E8CD5AAE00C08EB75CA7A73FFE5EBE2FF693346FC921B54566ACA334820F98C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.500{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.500{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13EE9756D626CA94B5E6240FCEBF932,SHA256=349EB51355D6C63EF1FA0AC7DB66AA53CDC0514B7192AB49CDD8EE21915B947B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.500{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.500{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC97D0E50C1AB492058B1463CD87E66,SHA256=2152C8D3B17111197A91BA24F1F3ECBBC3BABACEAD58FDC3A78B8B206E2D57BF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000112499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.285{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000112498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.285{7DAC9CB3-C62B-63BE-F401-00000000A702}61686960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.285{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000112496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.285{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000112495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.036{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000112494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.036{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000112493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.036{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000112492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.036{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000112491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.036{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000112490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.036{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000112489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.036{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000112488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.020{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000112487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000112486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000112485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000112484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000112483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000112482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000112481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000112480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000112479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000112478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000112477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000112475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000112474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000112473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000112472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000112471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000112470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000112469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000112468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000112467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000112466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000112465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000112464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000112463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000112462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000112461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000112460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000112458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000112457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000112455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000112450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.004{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000112449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:35.005{7DAC9CB3-C62B-63BE-F401-00000000A702}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:36.684{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53090C2762CEEE2A64D0B616288E76C,SHA256=26C13F7033AE1318B7B321932E0A919BECC363A766D02275569E2815AD9B040B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000112558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.711{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000112557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.711{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000112556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.711{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000112555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.601{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.601{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00FCF0A41CE9FA222AA5B03DC44445D,SHA256=E6D236233BC224E9EAF96EE769E20C189A099C5F1942395DC723C75E36D2EE20,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000112553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.555{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000112552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.555{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000112551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.555{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000112550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.555{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000112549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.555{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000112548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.555{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000112547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.555{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000112546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000112545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000112544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000112543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000112542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000112541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000112540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000112539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000112538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000112537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000112536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000112535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000112534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000112533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000112532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000112531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000112530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000112529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000112528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000112527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000112526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000112525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000112524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000112523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000112522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000112521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000112520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000112519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000112517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000112515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000112514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000112513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000112511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000112507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.539{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000112506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.540{7DAC9CB3-C62C-63BE-F501-00000000A702}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000112505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.052{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000112504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:36.052{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99D1D722BEB59A4AD993692AE7E58CF1,SHA256=E59DF6D172867255DFB62E93C9F5B3FB450E67D1C7F0772796DBF9E080670C75,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:37.771{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:37.771{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B3A5E1C0D7A3527BE6E8FF059A2B90,SHA256=553D32C51ECB4EE4251501BAF6D81FB622786D7D7B365112728697154CBD53D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:37.755{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8F10C89EF2CC224958D64D626605F7,SHA256=8A94A520CCC954E90676FD9F2C78895C9E5AF17484FC7B33526DCE625C0504E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:38.841{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7344873FBA6267525322386D5074160F,SHA256=C285942CF125BB3B0A0081560FD12D31E90AD3FA2447842154F623E016F4A7D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:38.903{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:38.903{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37E3A1A1B045104509E253F8041A487,SHA256=430945170789C88D32E37B8CD5A2257A56EFBECDD493506D52A21E89FBF738D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:39.930{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48D66893D6714CEA41220AACBAA6678,SHA256=89E54E521C14EBE56B53019712CDE71C527205189EF2B04B2071E355070D0096,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:39.988{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:39.988{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22894C3EA0480512DA3B826C555537A8,SHA256=AFA8027F16284817EBA6AFAE2EB211B00A69732F7238E908805D1EAB6AB7F8DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:37.055{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52072-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000041863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:39.691{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50078-false10.0.1.12-8000- 23542300x800000000000000041862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:41.021{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF148B79D9F152820A3EF5EC23D54C26,SHA256=E8F812505A3501C9AAA72A48381DD82D50F2DC81BF3472EA7322F96CA434A567,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.880{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.879{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.875{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.873{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.868{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.866{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.863{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.393{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.376{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.369{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.365{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.362{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.359{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.327{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.319{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.313{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.296{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.283{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.273{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.264{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.256{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.234{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.218{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.207{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.088{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 11241100x8000000000000000112568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.077{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.077{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEE80297F7240B92FC3BC9515F3D2AE,SHA256=FDB2FB20257E90DD4DF2BAC50FFDF187A4A393AAED79A413B811CDC216FB8AB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:41.059{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 23542300x800000000000000041865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:42.752{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F24BF3332EDF95AB157B80BDF81C45AC,SHA256=52FC8CED36E2F187656EAC70D0996848A49A7529CBA41CF40A9FCC0477DE8D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:42.096{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BBFB8343FC2973FBC551BFA57E3DA4,SHA256=916126D4F7E5D816A862C18D8397381AD4E23BE1D592C3E8DF2D9163274E9746,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:42.106{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:42.106{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48209F294467AA1585BE136680000B2,SHA256=E92C9B70922BB807AC1BC5B7EC17A590A2BF424373E39607B5AF0320F2664211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:43.178{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC890A77B157030F33F63FB84DF95FD,SHA256=14C704999927E01E109D661B3FF8196D01764B02ED9EB65311B58041A8109974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:43.923{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:43.922{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:43.920{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 11241100x8000000000000000112597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:43.174{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:43.174{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC2B69BEF81F808F42A5A9EAF6F66F8,SHA256=834FE5F9D056AEBF4495CFE2CA9E9D34987734AE6F9749D6DC4E104E82F3CB1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.605{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.603{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.601{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.599{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.597{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.595{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.594{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.592{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.591{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.586{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.577{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.569{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.567{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.559{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.551{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.548{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.529{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.519{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.493{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.483{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.474{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.468{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.462{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.456{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.445{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.438{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.427{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.421{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000041868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.418{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 23542300x800000000000000041867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:44.374{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF500292669DF16AC23B627813B33C8F,SHA256=F447838BC7B63E2DE1B724FB1FFCC48D987B67F5786F81CEFFC7EEF81D5D8399,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.555{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.553{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.551{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.548{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.544{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.542{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.541{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.541{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.538{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.525{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.514{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 354300x8000000000000000112613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:42.960{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52073-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000112612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.482{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.468{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.451{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.445{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.443{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.439{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.436{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.432{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.431{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000112603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.429{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 11241100x8000000000000000112602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.243{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:44.243{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1C730D88E79C324A34B70CE33DBD15,SHA256=B043AFD51619D9FB9049386409139617FCD753F835E5DE240DA088DA1FB69719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:45.874{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496740780DA857CE8045775C3ED388D7,SHA256=71A43CDEBD0DC3190D6F01AB765412E35FD3F52E0DB43BB390EFFCBD3649176D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.448{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.448{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F85CED03A6E203778C07D5AD8D30C6,SHA256=E00972AB44F9D562BC30361EC6DB22DDE37EED9FDFAE50C3C20139F0E84443D9,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000112655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000112648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.015{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.015{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.015{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000112645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000112634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.015{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000112633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000112632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000112631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.007{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000112630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.003{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000112629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.003{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000112628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:22:45.003{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000112627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.003{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000112626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.003{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000112625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:45.002{7DAC9CB3-BE88-63BE-0C00-00000000A702}836872C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:46.986{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0FB1CC0E6AF1791FA756A965FF9EEE,SHA256=EF4BA853594FD246362921C1C5B14D50DDB542863790156DD5D3FF9FB48D912E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:46.619{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:46.619{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02ADD604C43C4002C8350C1D6AB5DF21,SHA256=88D962B344747ACE5FCE70683C307CC30C019A307ABE045FBEA76682801902DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:47.714{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:47.714{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220362D0ED55E71EDAB8E4012F223333,SHA256=654F8A6E14F7606DE37E2C88896B3D51CA907E56037CC0F93145DF8CBCA3E0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:47.798{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-031MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:48.801{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:48.801{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325A0AB4DD86884C9021EA88BC83F4A2,SHA256=F34706FF4F9B9CFED4FE19ACC6BE7BC197FDA407CF0809B549F85DA3E7D7FB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:48.798{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:45.672{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50079-false10.0.1.12-8000- 23542300x800000000000000041900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:48.062{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F8256227DBA8C1A20D25A3C890C2C9,SHA256=51B54F2DDEF8D447C7DA61870AA6E9A123BE6B7B025028E1F3D3A0FE62387444,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:49.892{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:49.892{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6585CF832D1631E45039EF0C7A4C9863,SHA256=52BF68F1659BCED00D5FC37B0EFD8098FCA533FA7B7E081C8CF51CCEC37E66E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:49.155{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FB1C4A1628225A401BCEFD0A0855F4,SHA256=BBFB3603AEDAC85A21465003982D09561B39CCD4F5EE28BC5A9F38095D81DBBE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:50.981{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:50.981{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC44232E3F6148AA77143CF24F2FAE4C,SHA256=A0DBD3B9E3B7AB8F48C6B9C1D43EB3A7F4C8BF3C93A0FDC8BA97D35C66942C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:48.884{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52074-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:50.239{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7375A0D4B0D1448272661A6137F2AD,SHA256=4DEE1CC79539877E6F7798DFF0D649EDE2422F5873B3B4F0A376A7BDE646CE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:51.536{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D592EB0601DD5527625674D6EFA32669,SHA256=F41E387A45502A46593A104B2DFA0DB062FB996D1AE479D48EA94785DAFC3281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:52.645{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5440C31895CC99342432DF080C9E92C3,SHA256=967179D97BC8DE01BF7452E43821BD5F9183FD3BB38E883C69633543DB0C3635,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:52.072{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:52.072{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF23F4B85E29163E53488145E9EAE59,SHA256=828A59ADBDFD81A776BDD93B67F02E686AA32D62C61DEBF333CF53A05172E9C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:50.736{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50080-false10.0.1.12-8000- 23542300x800000000000000041908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:53.749{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C55ADFE0D79F8C8353011D97151D73,SHA256=B5C31A5AB5076AEE9F1E4DB06EADB6A0C8FD5E260A253C54AE62B03C37EC3488,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:53.160{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:53.160{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC688A06AC088B0E4E87EC9D9FA23773,SHA256=15E29F7F71B5CFB9346C0EBBD25EC8206AE68D85ACEE039EF22BD7EFDFD206A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:54.843{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3DF9CD3AB2CCA1C4C87905A8CF076E,SHA256=690F497E05B964B18AFD8DECFD2F04F3BAB5520C921966F186E0A44CDA673238,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:54.269{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:54.269{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD11D72400E26FD4384CA8F728EDCF9,SHA256=B602D4EFD40924949FC621627D58B82E0B3DB66DB130E5C567766090F4DDAEE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:55.933{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41386A43556DFE0D350AFA48610ED28B,SHA256=C72E4A65748DDAFCC3C8A4F0AC8394836EE62B6275F96A4E77762F2874075675,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:53.976{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52075-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000112676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:55.349{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:55.349{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CA21E008A000422BB63A4213C8200D,SHA256=F0BA3E0CE382AAD41EED873065BFB24106D383E1329573EFA1076B7699117369,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:56.455{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:56.455{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EEDC1D60EECFDB7DF6654A4BF86E01,SHA256=804D2F7E120D4637D2A4ADC3754085901A2D0F3D21FE2F8AE88DDE6F3040CE30,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:57.669{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:22:57.669 11241100x8000000000000000112681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:57.528{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:57.528{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDA78C7EFA95C5766EBF25B291E1F5F,SHA256=6D41B61A5D65BCCF23A131E9072784766B47BC8EDDE5AB999F408F0A5E904823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:57.024{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56421E14B3CFB9951DEDE336DF970EEA,SHA256=8164989029E55C8BDF3346C2988A3D71C6164A2EA30F745ED2C6E03C04304860,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:58.629{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:58.629{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA53C16E9C9D9E8A3B9EE1D5C2D90FE9,SHA256=113B0280B9A402E27254FC7CBDAA12A00AAB8EA0F5D35975E0D6350E1F1ED467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:58.108{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436049E8BB7A168D26501DD76D538646,SHA256=28B0F429E5458F7556C15F262DC62AEA631B5742C2DD999A0F067B764F6B6FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:58.046{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2DAA937C6443ECFABCC65B3330A4C2FE,SHA256=1419BA5C7CEB9A678349977E36F17A82651DEF1AA81CFD40BC54B9B314E48BC2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:59.832{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:59.832{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2C7D9BD8DA38A16396F3946CED8C40,SHA256=A4FE9D5C32680C28261F612F28C9D93ADEA05EFA5AB3A25F90546287A6EB15A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:56.771{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50081-false10.0.1.12-8000- 23542300x800000000000000041924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:22:59.309{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB9294078392D744C4814BB43D29B39,SHA256=C2624F8672BE156467C6D0C7EBC24F2EB6A379B162F446EF22DCF92037556DBC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000041923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:59.137{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000041922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:59.137{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001e4b9d) 13241300x800000000000000041921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:59.137{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925bf-0xd25bc072) 13241300x800000000000000041920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:59.137{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c8-0x34202872) 13241300x800000000000000041919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:59.137{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925d0-0x95e49072) 13241300x800000000000000041918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:59.137{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000041917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:59.137{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001e4b9d) 13241300x800000000000000041916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:59.137{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925bf-0xd25bc072) 13241300x800000000000000041915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:59.137{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c8-0x34202872) 13241300x800000000000000041914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-SetValue2023-01-11 14:22:59.137{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925d0-0x95e49072) 10341000x8000000000000000112689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:00.994{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 11241100x8000000000000000112688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:00.926{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:00.926{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A37D6AAB4F02D9E186B9BB475C8CA85,SHA256=A3B2B0837E630A5F642876AD8DD7350ABF13374B11F41A8F135DBBE909E5B70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:00.516{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DA9D99933B9B80822B03AFCAEA1B13,SHA256=8A0AD18DD79212F2D17BA2F4AE5CB947DC0E6293574F3BCE6D989A273CF3D398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:01.594{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F3A5D0CDCC230E0C2E3DAD5A47D1BA,SHA256=73B7767DBE53C81152BE2DA9E6E0816FA15127E3A2AE7E5C1464407B6FE70561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.752{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.749{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.741{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.739{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.734{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.729{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.726{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.206{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.196{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.192{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.191{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.189{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.159{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.150{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.135{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.125{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.114{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.102{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.095{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.068{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.050{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.041{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000112691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.035{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=993B86799A9E18962C560B0ACDE195F8,SHA256=64B0708A3B0AEEE994D75DD44A85E38184600B6365DB17A3FD7A0B43C6C67E43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:01.000{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000041928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:02.686{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6D5F869074879C88DF1780011E90C2,SHA256=8D1903B91662D963FDFF941413F5286142AE653598AD1BCC529FADFD62F66920,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:02.260{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:02.260{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC803BA165E6050E9A33C6203E8778CC,SHA256=716CF7537DEB79D3AE797315A436984C5AB9BAFDC8B8728F2F6FC923ECD32AEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:02.150{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-11 13:51:01.788 23542300x8000000000000000112717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:02.150{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=47D1279A166A539D0D40C3332B07D0D3,SHA256=99884174CE3C45A1AA49F38717AE9DEFEA9524964C6189F7984B7BA5AB3FBEA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:22:59.853{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52076-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000041930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:01.823{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50082-false10.0.1.12-8000- 23542300x800000000000000041929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:03.880{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF933456FE6EE546CE6EC486D94EB21,SHA256=D8086301C012CB6DB177F355FA89C25F5F566657A6AF05D925B59BB6B17D9157,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:03.804{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:03.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:03.802{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 11241100x8000000000000000112722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:03.178{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:03.178{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2ECA371A91BD73A989AFEEE8B25517D,SHA256=91B074E2686F348B78239825DB74D9776D0BC41C9ED914EB07D14B1F649522A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.504{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.501{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.499{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.496{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.491{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.485{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.484{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.484{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.479{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.446{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.420{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.379{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.363{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.349{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.341{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.338{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.334{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.329{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.323{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.319{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.313{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 11241100x8000000000000000112727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.264{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.264{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25CDBD160337AA5F7F86B04E360D3AD,SHA256=117D4D401FFFD84ECAF8FE05E46AD49A960DCD7DA6712954401531291B854998,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.652{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.647{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.643{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.641{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.640{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.637{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.635{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.631{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.628{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.622{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.614{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.610{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.604{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.596{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.586{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.582{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.564{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.553{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.524{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.515{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.503{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.492{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.483{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.475{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.461{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.450{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.437{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.429{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000041931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:04.425{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 23542300x800000000000000041960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:05.417{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3A84470B6C5023220AD36C4A8123E0,SHA256=012789FEB96FF9D9B28C39B94843CB9D17E1839F55F0A06B170A67964746BA95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:05.336{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:05.336{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BA4A1CA3A9C8846D769A9C5A29B893,SHA256=31A31B4D07C2FE7B0A6D0225DBD86FCFD9523100BE493EE194E822E1376FDEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:05.280{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-031MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:05.278{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0312023-01-11 14:23:05.278 11241100x8000000000000000112749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:05.276{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0322023-01-11 14:23:05.276 23542300x800000000000000041961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:06.579{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A201531E0CD36536E4C5127D596A78D,SHA256=E342774473C80285459EFAD90FCCF4F8A50C15E6250F28F528F542EA2E58FFD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:06.324{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:06.324{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDCBD3456DC5E99D61CC30ACBE04A5F,SHA256=2C0C92EA6E026CF79571CDE7FC203D134EEA5A647F6F446A7BDC7FABA66360F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000112754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:06.287{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:07.819{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:07.659{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DE0118ACECA9ED2F99A828FDCA44AC,SHA256=CD099131A5078F93707D4B0A0DB91FAAB9AC4456AA5CF75076773A6CED6DFAC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:07.414{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:07.414{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43086141BD076837E7E952ABD9532B40,SHA256=BB534AB6607E3DE859895771882F1E754E136C8DEB6AE463BF2AF2CA14E0607A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:04.897{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52077-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:08.954{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151CED139D0E6989C49DB11DAAB361C6,SHA256=D7C9EA565A57210C3A7E6C9BAB85BD3138AC686A1C1A5004F2EEEA4C8D51E996,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:08.499{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:08.499{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1C19FA71E7CBD295A6D7928B65141C,SHA256=B22C837C8D4797A14275FDDDB53D13D3CFE54A5B471047C27EF946BDD89FD2B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:09.611{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:09.611{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF576EEEB1C7F8FA9DB6BB46B2D3A43,SHA256=2A8964039699A63640A3959BF63D9505E3FB9F08A4D79A27489F92944BE3E658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:09.545{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:10.716{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:10.716{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB73D9F52B84125283385CC5953C853,SHA256=ADBC3B373321B2137F0319AEF0B89F09DF96C88C0D7AA68A8DC529EF7AD5455F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.982{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C64E-63BE-8201-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.980{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.980{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.980{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.980{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.980{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.980{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.980{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.980{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.979{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.979{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C64E-63BE-8201-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.979{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C64E-63BE-8201-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.978{3EE3745C-C64E-63BE-8201-00000000A802}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:07.686{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50083-false10.0.1.12-8000- 23542300x800000000000000041966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:10.034{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731E810CA714E86DE0BECA5D159A8CC1,SHA256=708F873AC907B43AE90C3B28CFB0C1EC669BA91C221706230AD19C4C20517728,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:11.784{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:11.784{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5499723CD532E53CE685A629130A533F,SHA256=A4EB7F7F8BCA5AFB219C3396C9894BC4E63B9ACFC2C2B45BE69B51CB750838B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.963{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1BDCE8D958CC4724A7BD9D946F5CE37D,SHA256=D96746B5AA67A95BFB4B24793211A239375B44FFF5837C9E3CF47BE01CBF16DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.863{3EE3745C-C64F-63BE-8301-00000000A802}39563904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.814{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CDF34554CF947DF68B97A2A21BE20446,SHA256=34DAD8A9D88FCB3E8B246F3FE6A3F53DAB6351DA62C65B9F04B58DB24C029FBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.788{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C64F-63BE-8301-00000000A802}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.788{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C64F-63BE-8301-00000000A802}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.788{3EE3745C-BE85-63BE-2100-00000000A802}15522904C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C64F-63BE-8301-00000000A802}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A003D0) 10341000x800000000000000041995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C64F-63BE-8301-00000000A802}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C64F-63BE-8301-00000000A802}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.568{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C64F-63BE-8301-00000000A802}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.570{3EE3745C-C64F-63BE-8301-00000000A802}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:09.119{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50084-false10.0.1.12-8089- 23542300x800000000000000041981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:11.115{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D91E27C95C8A36A8A8CB8D82221404,SHA256=0304F3FB1983FD0E30EA518A9EA2C181421B0FC5073ECC359E80ABFA354109C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:12.857{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:12.857{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCD6BB538504886D53D7B345A698F57,SHA256=85234FDAA51E533585086F1BD5F452C49E030DF3B2D9E18484AAB3143FDF20AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.300{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F1A88ADCD6DC03505BEF7E01927F73,SHA256=E7C957F6A6D8652D859D02385FDF8EEC27E888C736A3B4372A2231966E01B35D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:10.893{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52078-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000042015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C650-63BE-8401-00000000A802}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C650-63BE-8401-00000000A802}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.116{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C650-63BE-8401-00000000A802}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.117{3EE3745C-C650-63BE-8401-00000000A802}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:12.084{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7208B80146026ED9E5909D4322E80367,SHA256=C8FDE0C93B34D858A8DD29C25656D91CBC6457F732E9B50691052A4F69C79631,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:13.935{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:13.935{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9A9C24D9AFE8A2B94FB4749B6A5AB6,SHA256=D69A53F8D879D52363CBD8479D3F1C073DFC05356F74865C201E167D21AD4612,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C651-63BE-8501-00000000A802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C651-63BE-8501-00000000A802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.987{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C651-63BE-8501-00000000A802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.988{3EE3745C-C651-63BE-8501-00000000A802}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.408{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A57D908FDF501E5978F98C3B71F8C6,SHA256=A0AC7760E1D5A8CDDE533B8E19688501BFA00369BC0B55910FA7520EF676620C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:14.956{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000112773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:14.956{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3834ABFE854104ECCCE33B5AAF2D08B0,SHA256=3AF7833FD3ECC285E8D40A4F5AD8510300DA5CC335160FED6E717D1D846BA516,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.665{3EE3745C-C652-63BE-8601-00000000A802}8363796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.494{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978A9775F024260785963E05ADF9E2A6,SHA256=84687194009A639F48179297600D79AEE56A986FD6A4E586FBC1C1511FBCBC34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C652-63BE-8601-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C652-63BE-8601-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.478{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C652-63BE-8601-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.479{3EE3745C-C652-63BE-8601-00000000A802}836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000042031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:14.228{3EE3745C-C651-63BE-8501-00000000A802}25483600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000112778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:15.994{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:15.994{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70607771CA6CAB91FAAA82B97E02CF7,SHA256=29956A9FA613982BAE227DFB422263DCB39BA7EAF08105B020F5B484687F55C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.639{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4130C2B73E2E9E3D41A242F3AECB20,SHA256=4CA3B0C5C594EA0AB4BFF14A68B75806AE39EFB978698AAE1DF415D677360684,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:15.014{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:15.014{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4BD919DF95982CFF89256125C37D53,SHA256=EF3A6DBD132C33325BB4FB36D77835A32CAC96D1EF90B6E9278240862896D751,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.311{3EE3745C-C653-63BE-8701-00000000A802}36882016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C653-63BE-8701-00000000A802}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C653-63BE-8701-00000000A802}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C653-63BE-8701-00000000A802}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:15.155{3EE3745C-C653-63BE-8701-00000000A802}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.677{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2E4AE94AA94D9486C8C9220CFB00F4,SHA256=670ED75E2CF2740302DF044A692E7CD2D8858F204C560C3DC4377DF57D7ACDD9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:16.165{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000112779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:16.165{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:13.694{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50085-false10.0.1.12-8000- 10341000x800000000000000042074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C654-63BE-8801-00000000A802}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C654-63BE-8801-00000000A802}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C654-63BE-8801-00000000A802}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.552{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:16.553{3EE3745C-C654-63BE-8801-00000000A802}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:17.762{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E179075AC696D9A077C01E0EC95E7C,SHA256=A33E2B6A9D4D14E4FC8F1D96D395DABF914B5D939E21E2D3D336BB7670187E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:17.715{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=641E3FD80D569330E302A48E824F0264,SHA256=5729F791E45332DFE8476D9055311E3469F767C52CED5FD9098BCF02AE44D98C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:15.943{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52080-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000112783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:15.937{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52079-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000112782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:17.082{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:17.082{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947DB88E449B15E1CF05F0026AE01B46,SHA256=4D1F10693285CC72E45645D543AE6A5CB60A2C8AC7D20D4026046AEC3BC69EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:18.742{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC9E038D8A32CD93BF3088DA90A11FE,SHA256=1D49969C1200AAF03036766309B669908942939105C9E065AD2981F90C481241,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:18.164{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:18.164{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872CBDB31F5090FA43BE3EEF427578E3,SHA256=BDBCF7121BF492C4107C5CD2A8B6C3E108B546B4399E08206446492F7623E563,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:19.365{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:19.365{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A6F4C7FAFBE5D8A9D8F355702B3DEF,SHA256=E006D92F96C77685DB6851D39D6AE5963554FB3DEBA7174BD1818B79F3C9CAAB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:20.559{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:20.559{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D39ED79673D8B1A4B214134FE151D6,SHA256=9D2D9B0E611B1DEAC65819E4528E7FC4AC088D6D383119EC94DAE936D29B5AF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:18.834{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50086-false10.0.1.12-8000- 23542300x800000000000000042080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:20.032{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D9153FEEDEE4C2EB9EABBBE2EEB348,SHA256=47E8FDBBCF8176201F783593DF450530EB2AEEDC78C39C7EAD81487680ED986C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.965{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.965{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40BFD821D4C751F4D768A4F14B5C6C5,SHA256=C2FA74F18AC415E7D9CC8932C9270209FFC5E097ADEEA98F1407EA8416B1BEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:21.117{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8FBFECE1EE0E06270B094A19560521,SHA256=1D519A910BE0768BEA566714F7DC4808A9E13A0FE00270B4799F5A663C6365FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.644{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.643{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.636{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.634{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.628{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.625{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.622{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.197{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.184{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.178{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.174{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.172{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.169{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.139{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.132{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.126{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.112{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.102{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.094{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.084{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.076{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.063{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.053{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.044{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:20.999{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000042083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:22.315{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061F314B5623839D66646939040DBA48,SHA256=0A7C680DCF928981E950E095098FE2BFFF444B46BCEF6278C33EF2262D4BE840,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:21.032{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52081-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000042084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:23.498{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F77B4B8B4B14E74B150FC238775968,SHA256=065E4CF04AAAB8294290002F1EECF6A86A59FDC9B0DAD1D166D3478BB9C2EECF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:23.696{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:23.695{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:23.694{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 11241100x8000000000000000112821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:23.056{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:23.056{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F08792926D6B0079F221126F7DD91D,SHA256=80B3F7D05A39A1FB37092C01460F51733A555CEE30416AA5FEA4D41FEEA9948B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.669{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057CEC267C8BB9675C5CFB56A001AC80,SHA256=EC882991D69DE7AB06B37087D7327F8310CE8A007B3DD6BF03B423223F6ECC4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.635{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.634{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.632{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.630{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.628{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.626{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.625{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.624{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.622{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.619{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.613{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.609{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.607{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.598{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.591{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.590{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.573{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x8000000000000000112847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.388{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.387{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.377{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.364{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.357{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.349{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.347{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.347{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.344{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.321{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.309{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.259{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.236{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.228{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.227{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.219{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.215{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.214{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000112827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.211{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405988C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 11241100x8000000000000000112826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.160{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:24.160{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8E2F11796F6F35255E4482E3E8D84B,SHA256=908543B600CCE32245B4CE219529F8BD8FE85852ACFB2AABDEC6A8402152BB5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.563{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.507{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.499{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.489{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.478{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.467{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.458{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.443{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.429{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.419{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.410{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.408{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 23542300x800000000000000042115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:25.655{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DAF0B35886B4A00B6633103C9DD8F9,SHA256=3A8D6D5FD9E366F527A82739E8104C83C00A1038F5BE05BCA1772F266D9D9510,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:25.326{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:25.326{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6C1D58A2E8EC061939459B98C655E9,SHA256=1BA640C37DFACAAD3CA8E06891BA7F259658CC8102F045EBC820ABF2C5AC0FDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:24.652{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50087-false10.0.1.12-8000- 23542300x800000000000000042116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:26.743{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5132010B0208389FEBBA8AACF46FB480,SHA256=25127567F0750133DCA3C42416A12160D528415E8C5F6ACB61006C68BA840B71,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:26.409{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:26.409{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30BBADA87E3471433286EE9197D7432,SHA256=75BCE81C33EE9EA18D0F961C6900206C83B9BE8DBBBBBF78BD7FB24D0174C716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:27.826{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9476049D7D7FAD5D3F87983E4FF635,SHA256=C9B6FB9AED7AD0B74916F3769F021D1139FBD1325E19563BCA36ED74D173FED3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:27.652{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:23:27.652 11241100x8000000000000000112853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:27.512{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:27.512{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF871CAFE99D3E044489CB3D7AAD32F3,SHA256=1FA54CD201934A7FF6FF70F4ADB84C43255F8D19B6064C31DE000A0CB65D5964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:28.900{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B9116BEF00D43A30DA14D5C7AD78ED,SHA256=24AA24A03DF9F49AFFC205A3F24740C0405D5B40FBEF5242A30B62EC98D189BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:28.710{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:28.710{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37BEF00D305F537726A0236481C0FA6B,SHA256=BE5CD2E5A5C73F6D8C4BED3972F2C9F9BD80731DE2C38FF0C0D1186A79952C58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000112855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:26.057{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52082-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000112912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.828{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.828{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D19E2E90EF7CDF4D32087391DACE12A,SHA256=7B5D27E927D8DCF5787B5C508B7941936F04066ED7E3B330C7A2FBEFC7E6DEC4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000112910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.640{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000112909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.640{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=04F05D787E251AE5D4940D61786C228B,SHA256=B5D0FD6CEF0BCD1A331EF1B60BCC344C02FCFA3D6D2E1AFC5013D0DB8A648BCC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000112908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.317{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000112907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.317{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000112906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.317{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000112905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.118{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000112904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.118{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000112903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.118{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000112902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.118{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000112901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.118{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000112900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.118{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000112899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.118{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000112898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.118{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000112897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000112896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000112895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000112894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000112893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000112892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000112891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000112890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000112888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000112887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000112886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000112885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000112884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000112883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000112882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000112881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000112880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000112879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000112878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000112877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000112876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000112875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000112874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000112873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000112872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000112871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000112870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000112869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000112867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000112866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000112864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000112859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000112858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.101{7DAC9CB3-C661-63BE-F601-00000000A702}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:30.001{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA4C86BF68561DE8272C120564227B1,SHA256=E51F65E3842ACF5C538B9CADBFAF45EBB602667AFF65E59D281F391572BA0E31,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000112964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.752{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000112963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.752{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000112962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.752{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000112961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.752{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000112960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.752{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000112959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.752{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000112958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.752{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000112957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.752{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000112956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.752{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000112955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000112954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000112953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000112952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000112951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000112950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000112949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000112948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000112947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000112946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000112945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000112944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000112943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000112942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000112941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000112940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000112939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000112938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000112937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000112936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000112935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000112934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000112933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000112932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000112931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000112930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000112928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000112926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000112925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000112923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000112918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000112917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.737{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000112916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.196{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000112915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:30.196{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E10C5DFCDEB94650BA72875C5F57797B,SHA256=409D5C7F78F50508375942C4396AB392A1E8E8F3C29B85A91682CF6D527C7394,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000112914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:30.043{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000112913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:30.043{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x800000000000000042122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:29.747{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50088-false10.0.1.12-8000- 23542300x800000000000000042121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:31.088{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D23C565B83570CAA11B47AB2726A9AE,SHA256=A04CB4A90105CCECD9CC3CDFF9ED5C95F1F3F621FDD8A2327E4DD38B05D672F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.845{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52083-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000113026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:29.844{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52083-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 734700x8000000000000000113025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.470{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000113024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.454{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.454{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000113022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.282{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=08CF8EB8B2A664019021AB8B63CD2DD0,SHA256=2139A5DF6A7896A3E48E57F95944AFB2A45C338137B1E24D29EE58EC86585899,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.266{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.266{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.266{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.266{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.266{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.266{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.266{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.266{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.251{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000113012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.251{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.251{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.251{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.251{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.251{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.251{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.251{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.251{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.251{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000112999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000112998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000112997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000112996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000112994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000112993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000112992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000112991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000112990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000112989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000112988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000112987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000112986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000112985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000112984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000112983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000112982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000112981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000112979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000112978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000112977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000112976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000112971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.235{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000112970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.236{7DAC9CB3-C663-63BE-F801-00000000A702}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000112969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.065{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000112968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.065{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E889E8943E24F1A4561EE9F340A2FA07,SHA256=AE5CB9821395BF6188EFE54E46CE4208B7F614445F9F41AC049C4472DB668FB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000112967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.002{7DAC9CB3-C662-63BE-F701-00000000A702}42404428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000112966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.002{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000112965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.002{7DAC9CB3-C662-63BE-F701-00000000A702}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000042123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:32.275{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2845DD97AF1E2319DFABD0CEE69841D9,SHA256=C445DEAB6209554F4C1EE836A9206936F080456EAE84AC9DC5B0F4BD90A3B0BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:32.174{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:32.174{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3899F17044019D1BA4DC67976565EDB6,SHA256=6B0A11CC1A1D59D05E30AB0CFD560D5FADF87311EA43A9E7C47707EBCD10B22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:33.362{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F949183FF935AB18845A296C8CD5FC,SHA256=61E7C138864A801A2E7ABF3CAB110D51BC2D967EE1B9E1F3C636636280DC6A57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:31.915{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52084-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000113082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.491{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000113081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.491{7DAC9CB3-C665-63BE-F901-00000000A702}24082668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.491{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.491{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000113078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.256{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.256{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.256{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.256{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.256{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.256{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.256{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.256{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000113058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000113057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000113047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000113043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000113040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000113038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.240{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.241{7DAC9CB3-C665-63BE-F901-00000000A702}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000113031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.225{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:33.225{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE3109795FCCE66E9E4151183AE9E58,SHA256=778D1AEB53F00AE725930FE1780C8A42A6D8BCA76878C819190FE9197B1D4D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:34.550{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2BE4342E46D2B1A93F13FA45879C8C,SHA256=C2E1CE805FF68B9A7F950DE14E6BD499FEB7E54E48FC7121489759E9F2661AD6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.992{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000113197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.977{7DAC9CB3-C666-63BE-FB01-00000000A702}47762724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.969{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.969{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000113194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.810{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.810{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3179C366836CF8AFC96F6D2B1E39E51B,SHA256=80722B6A6C07B26177329361DCEFE1B4BF925438C42D76CBC4279A57A0B0A1F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.725{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.725{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.725{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.725{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.725{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.725{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000113186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.674{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.674{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.673{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.672{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.670{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.670{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.669{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.667{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000113165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000113164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000113152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000113151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000113150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000113147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000113146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000113144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.645{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.646{7DAC9CB3-C666-63BE-FB01-00000000A702}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000113138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.457{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.457{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F38A001813734C820FE974342C4BA03,SHA256=5E3923679685F25992C64BD57FA1B451D35BFB9CD721497573F12E5DD34873AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.442{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.442{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40922700BF55F5BE5A3DF8ED0E350C6C,SHA256=ED6FD4A54BD174678E686E828E09856AC6D62B1E458D42298EFB9832AC4AE9B2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.379{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000113133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.363{7DAC9CB3-C666-63BE-FA01-00000000A702}6820340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.363{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.363{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000113130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.176{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.176{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.176{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.176{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.176{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.176{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.176{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.176{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.160{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000113110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000113109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000113097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000113095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000113092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000113090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.145{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:34.146{7DAC9CB3-C666-63BE-FA01-00000000A702}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:35.848{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659BD823710BE3F11A85EB84498DAB58,SHA256=EEAE5A0248C91F2B0621B3CB9A03FE74C57E4A4F62C49D2BC1DE109B2F3B4137,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:35.694{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000113201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:35.693{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A82346F57BD749BB3E28B9A8E3DBF7D2,SHA256=D6F8A07AEC34E16DC92C5C1AA06E022F77E3C8DE16421EE95A229515EFE17302,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:35.576{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:35.576{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C27FAA6B8165CDAEFFBD678C83B0837,SHA256=FA8BBD58089229F31EFDBB40F07F608067359E95DF79B049D6E9948C36CD2DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:36.930{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FADEF704798B0A20B25909B44FFA201,SHA256=842401DDECE2D2C3FB063484239C9720144FE521CFAE35D713901F7D536D29D8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.837{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000113258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.837{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.837{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000113256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.722{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.722{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.722{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.721{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.721{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.721{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000113250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.585{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.585{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.585{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.585{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.585{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.585{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.569{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.569{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.569{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.569{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.569{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.569{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.569{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000113237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.569{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.569{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.569{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000113223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000113222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000113218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000113214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000113211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000113209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.554{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:36.555{7DAC9CB3-C668-63BE-FC01-00000000A702}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000113263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:37.791{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:37.791{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52963A8748831BF39E4137AB938E05A,SHA256=A24CCE5E147909B4F74946F4751DC8AEBCA9603253A68E1E8059432DDD72AB6E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:37.040{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:37.040{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C3BE89ABFD5543035231D3AD2A3A3C,SHA256=5B6ED425602D76EC4C2EFD98231F4D229277FA0438AA8DF9A9EA6F267F677815,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:38.880{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:38.880{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AF0F0BD9178457B7A435C3E52BA283,SHA256=E98EC26E97054583D4C08AC556C182189FD025AFDCA3328AB8809235A42C4956,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:35.772{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50089-false10.0.1.12-8000- 23542300x800000000000000042128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:38.030{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042ADFA079E40DF5A666E9C9E7915B9D,SHA256=7807A90883F7EFA2BED71A7CCB670A7F51460DC62E9FD192D38169E24A8D5A4E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:39.957{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:39.957{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8E41B1BD19BB2C6F22976D773A5BF3,SHA256=26019B09F0ECD2600D59682B39D2D8FAB5CD214339424F8335E4CD846F2BB83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:39.135{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9D64A55CC557F74471F7FD7D2B0A03,SHA256=B7692D52309B39C57EE48FF1E44193A6F677E965D2A97C01E074BB070D657FAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:37.887{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52085-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000042131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:40.213{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFE8E6908109F717903BDA6CC778667,SHA256=A0730075D02A051D3506C163D554AE979BC6918A2B7B63F6EB97F68D159562D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:41.307{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C422E3B16F299AB0C75D2094432E759F,SHA256=95F738478C4E68DAF8A756C3401B0F60431250E81C10D7611570EAFE3428EB03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.435{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.419{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.407{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.403{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.402{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.395{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.355{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.345{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.339{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.314{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.294{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.272{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.259{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.225{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.202{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.146{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000113272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.040{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.040{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFF07AF676260BB94ED38E690A910A5,SHA256=5BD309D43062E7F9C1ECD08208F7B942FC777B1DFB1470745B0D0F9E394099F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:41.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000042134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:42.613{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA454FCE60BE6BBBC839746ADCDBC25,SHA256=A8188FF1F8971590BA9F5035779251D1F6D86908E846130BE1A6A271ED553038,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:42.287{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:42.285{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:42.281{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:42.279{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:42.271{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:42.268{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:42.261{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000113291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:42.072{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:42.070{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F11F9B07AD7F1BF1F037D019F5CFFAC,SHA256=AF8AEBC8296D0E47264CBD192F8950E5292C6D3DF33A8481AA85308A9B108B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:42.116{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=14EDAE16F799C28636DA4DCDCC8F95A1,SHA256=33843926BBF0EFE5F195DCB568C622ECA388D69092E303DDC990FC3F8ACCD901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:43.690{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369A9E4C2D8A187544F15722CAAA8A0D,SHA256=A9CFEDFD54774C5C923B46DE3ABCE69A7C3B8AAB1CB21ADBE65DD14835A81A58,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:43.125{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:43.125{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8362DE7FDD346C6BC1AAA2F68CCAB356,SHA256=F05F366651623C80324C83926F4E8333E3C06A870904EE886F71F100E4A3BC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.919{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B014834AFDF751173F7A218337B7F42,SHA256=CE8B30DDB406D325F10B850C88510AEF24DA51F66F2A141BBA2F5FB00CEEA087,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.976{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.924{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.912{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.889{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.878{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.873{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.867{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.859{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.846{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.845{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 354300x8000000000000000113307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:43.033{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52086-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000113306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.840{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.333{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.332{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.330{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000113302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.223{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:44.223{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B60B0790A8C7A1D603D6AD134FCA1BC,SHA256=19E6F36BEAB072BAEF58BB69926619075833999EFC37825D016C4F1594FEAAF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.655{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.647{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.644{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.641{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.640{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.637{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.636{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.634{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.631{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.628{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.622{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.618{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.614{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.607{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.595{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.591{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.572{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.560{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.520{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.507{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.497{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.485{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.471{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.464{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.451{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.442{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.431{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.420{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:44.418{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 354300x800000000000000042136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:41.675{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50090-false10.0.1.12-8000- 23542300x800000000000000042167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:45.974{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBB250290EBFCB7C79EDBA2B7B11521,SHA256=B264AFC0021EF9D1B17A33C41829EB2B4EFBF6B7F07757B5A8955D974A6421C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.381{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.381{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E55FCDCF645F7CDCB7CB7780332FA7,SHA256=08BBEF2B05877558A3731A492DBA1C7F956EA69ED850A353FB07B00E7A083AA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.092{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.091{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.083{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.071{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.065{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.052{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.051{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000113351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.050{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 12241200x8000000000000000113350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.049{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.048{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000113343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.040{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.040{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.037{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.037{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 12241200x8000000000000000113339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.028{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.028{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.028{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.028{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.028{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.028{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.028{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.023{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000113328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.022{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000113327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000113326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000113325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000113324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.007{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000113323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000113322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:23:45.006{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000113321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000113320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.004{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000113319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.002{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:45.001{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 11241100x8000000000000000113363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:46.483{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:46.483{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E224F70A31A1108065915EF2237CF2B3,SHA256=380FF9DA40C13B7A9EE70E699F81F025CF1E7CA67C90EAA9277F9EFE3A20007F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:46.022{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000113365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:47.572{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:47.572{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B1ED06D1C9A52C0CD66C6CB14C38FC,SHA256=6421C97A1CE66137540B7553028A26ABEFD028EA109A9E8079110FC94CEFBD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:47.165{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779B8E2676139727E2835FC663211F77,SHA256=067659742B2F6E666CFDF232B38ACF85078AF23CAEAF8B5CD7C8312CB0154B2C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:48.658{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:48.658{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C40A75AFF54D973AF7091F83BD366A,SHA256=B31DEC16B03B140D595F672E9A6C789A126B1F03DA367487E5CC464A2586DAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:48.244{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECE25EE1353841564E72DEA7C2A8578,SHA256=FDF006F2CB85C47202B740D4EAC3045CF97AC7F02699CDA28D297ADDBF16E151,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:49.850{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:49.850{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FC079D162DF4ED75F71403C9B4384A,SHA256=38BEE64211AD8FFF10EEA8ACABE0C075597237F81B7629792E5A96E56A02CAB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:47.679{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50091-false10.0.1.12-8000- 23542300x800000000000000042171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:49.323{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08EC3DD43FEB1EFA51D570A22648B37E,SHA256=BF1498021303B567FEDFB6FB86F20BF060CD66AF22A3CE7DD594A01892BBBB49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:49.316{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-032MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:50.932{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:50.932{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415112B2A129BD95C4E43DD136F92305,SHA256=3A913EB9E840DE0332949902A6D91D41340D446BC96F61DD6743045F5D5ABE2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:50.396{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88522DEE3A0EEE8D812F40317FE09781,SHA256=EC8E0EF88369D65EE3B967CF657C36B6E5F4F6238EB97337EC6827E53DFB92E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:50.324{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:51.497{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85DF357B5237F6F7CF33149FA35DD9D,SHA256=B6885C1F3612CAEE1FAC9C88ECDD0319A1D9D5B2422A297D262B090260E1371E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:49.002{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52087-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000042176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:52.594{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B1E74FF039899F747CCBC8EA060B4D,SHA256=921F3FF5153E44072BFF19B382C978E5B74A15AE8847449F627C1A21AC5A6162,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:52.030{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:52.030{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFFCA3317365CB18E7940CBAB306F76,SHA256=F8468AB22FAF304D9382CE31B593A8EBE986D9579D10C797B29B028582AC93B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:53.779{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20675A83A387C65A5ADBBB27C05DB3D1,SHA256=4189173972031B7AB3C367597894F53255ACE70BE6340FA28279272AAB4279E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:53.117{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:53.116{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6F346C0D5952DCEE3669A31447E5CB,SHA256=DD343DF07B1D5E3816E94A1C9E896632E5CE299B77DA602442C73F24AF1AA5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:54.860{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A48F819C80537377A4F1AE344715147,SHA256=293CE7031B60686E70642A32072E0F1ECD1E1BFE8A71EF0726DD89284B7B80ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:54.197{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:54.197{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A8B4AE1AC82550E3CC62DD3BE8144D,SHA256=8B89DF7A6E2294FCE890AEE1070E9797A0DFC8022719136A5B69BC1A300CAD46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:55.301{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:55.301{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C270EA3D6B7CC89504885AE0D60B16,SHA256=8141E58DAB5B31B379206849861A1FAE5FE19595F34756E12261C65BE821CA5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:52.846{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50092-false10.0.1.12-8000- 11241100x8000000000000000113382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:56.495{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:56.495{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FFFF58C5ABBFFB41B6A0853444C183,SHA256=502612454BB1F590CB3B961A474540A415AD8C4CB8E780D5F4537B28FE71CB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:56.045{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E340ECDD693C21CEE338D415A7142CA6,SHA256=DEAFE22732813957726807F381004B7C134C004A6562F2526539BAB4924C106B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:57.662{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:23:57.662 11241100x8000000000000000113385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:57.569{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:57.569{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664EB33FEB0A35B128F47D63E15F6D31,SHA256=72149CFA88F290F465249029E53F06AB85BCBC826A2CF85B215B2E09BB8ED10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:57.128{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9866BF62F9705EEE5DBF9772D43EA63,SHA256=059C411A392497F089780127760D6E2B86AB75F0649411FE3D4AA2D31E97E427,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:54.917{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52088-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000113388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:58.674{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:58.674{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309C0277E0197F5FF3E8051B805269D4,SHA256=767647DD369DA9D12BC6C5E6FC0A813C3A1CF17E6B2DE778FEF7FF4FF07D6FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:58.208{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57A03B8632B87F2DA34D2322BB487D4,SHA256=9A29AF72BEF644CEE120730E44C0387B0E6C4056D97EFB9649A05870862EBFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:58.052{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FCF7EF18784D31AC3650A32341C97611,SHA256=51229F4C6C3BCFC62054053C6E28CDCC595BB5167670FAC7920A336DECF55CA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:59.766{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:23:59.766{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CF922579C6A3A128EB4AB61B55E7D2,SHA256=81E542D3DF249213D2D51AAAFD0DA900FE540546187B21212D62C78092400356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:59.295{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EC4354A4EB43B222867836E75A8722,SHA256=17CEF94780BD2F9F1335C3D08630739D0D5E929FE080FC840463843E53FEE87E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:00.841{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:00.841{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24591937CA287FA69EFD6752F71FD8E0,SHA256=29C09CF2167520CE8717BF9E52EA95F7DAA73E4D1500AA259CFB0C50D9319BA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:23:58.792{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50093-false10.0.1.12-8000- 23542300x800000000000000042185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:00.388{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D48BD4076021B0BDC4D089CD697878,SHA256=D69C6E06878DD3099615F44D5E19238034F3C95FF582AA2E3F9D4C8C581434B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.994{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.990{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.974{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.971{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.963{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.960{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000113415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.958{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.958{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B807B20FC9E69AABB588BF762ECCD0BD,SHA256=AC04515036528D51F0EDF71D531F6FBAA7DEC6276B82A02AB88D20CDDBBCF800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.950{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x800000000000000042187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:01.500{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691618DD1F0B5B80781C21813A247AAA,SHA256=457942AAEA4F944D59D2C6FB8C74942421165C40252505B472B2136E1067664E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.546{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DED11690294A7B85B35DB32042A67B4C,SHA256=2F584DAD23D7EE2ECBA98CB35028221ACD9F82E564DE9611907558D53D9B4652,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.229{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.217{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.209{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.207{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.206{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.204{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.172{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.165{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.158{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.141{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.128{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.117{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.111{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.098{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.077{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.060{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.052{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.004{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:01.001{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x800000000000000042188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:02.592{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20FEBC44CD4237533C851C449E8706C,SHA256=51E99471975C7A0617ACA57768F0082848727B2A0F491A39C1486537FBFBE095,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:00.846{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52089-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000113423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:02.158{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-11 13:50:01.763 23542300x8000000000000000113422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:02.158{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3E3B121B8209CC33ED75BDEEEFA41199,SHA256=093B702519B67CF2B46CA93FE113576A07B10E3DCFFA21AE2ADEC5C19D07879A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:03.807{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DBAE65F9A4CE4DE27BCA353B317BE8C,SHA256=37E07254EB6DD469CD54A22D62DAD3FFA8108DE24E6B3AEF2B70147112C0DBFE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:03.053{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:03.053{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA1AD26855388FF4A0E6FA50A0695A1,SHA256=B2D095765F68B5E59B83A2ABE20AEB437477EA5FE157D1DF6EE972C70E6807E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.881{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E534301E119ECAC0E1A6A14670573AE,SHA256=60D6B561B913FE008FB8069125E7A193F73621C1320323317FC2C5B5A6598EC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.832{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.826{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.820{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.817{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.816{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.812{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x8000000000000000113452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.698{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.693{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.692{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.686{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.682{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.676{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.675{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.674{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.669{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.640{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.628{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.594{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.580{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.564{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.554{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.552{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.550{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.546{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.542{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.540{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.535{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000113431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.237{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.237{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72464433F7C638DC6CF4D920BF3065C7,SHA256=84188297B108FC419E7301D33C0E36854B4E5C98E73B0126AE840B641BF041AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.809{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.808{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.803{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.791{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.778{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.774{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.768{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.756{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.741{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.736{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.709{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.692{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.650{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.629{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.612{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.584{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.568{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.551{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.508{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.482{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.455{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.435{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x800000000000000042190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.428{3EE3745C-BE85-63BE-2100-00000000A802}155292C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A00190) 10341000x8000000000000000113429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.022{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.020{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:04.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 23542300x800000000000000042220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:05.967{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69D1BFF19696405886F046BF7E30723,SHA256=0FADCD6D5C63D74B830040BC2A76775B646173ECF073C7836FFA0DF70FCD8C8E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:05.310{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:05.310{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211174C525FC93233BC0C4AEDF1726FA,SHA256=40EE7556E273256FD5E3869FBC63AA3DDE279EBDEB2832BD0BD7213DC20C45C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000113459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:06.806{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-032MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:06.804{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0322023-01-11 14:24:06.804 11241100x8000000000000000113457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:06.803{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0332023-01-11 14:24:06.803 11241100x8000000000000000113456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:06.396{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:06.396{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17135492E9B9019B006ADB624835CBC4,SHA256=730CF95D17308A7FB9DAEEACAA6AC26D5AF1AA7F6D96E4BDE2A4302C22B39E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:04.638{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50094-false10.0.1.12-8000- 23542300x8000000000000000113463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:07.811{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:06.014{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52090-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000113461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:07.482{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:07.482{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0E53F888DD00538F5E6AA767618598,SHA256=070AE6AC7BF64F72BA0A9A77333B88923162A5A4B02C318CB16AAF149B80AF14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:07.836{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:07.836{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:07.836{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:07.819{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:07.054{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28AFCB0C30A9B488A87827A97C6E0E5,SHA256=68ED3768BC843F4E22260C352812159AFD1E9071466AD65CB247A00152AB838A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:08.565{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:08.565{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64EBE3C1C7B2C582BEF7E38CE5C1FA1,SHA256=4443D969AAE8B7FE26E1B1B24472FA6915FCE36D482849D63B8919C909D0F5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:08.123{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF3E7C43B646D1B321AF415C262A1D8,SHA256=4C4A95F7E26195F6C9281AA9C2645E34B2609F6D2979D4D4A2FC680581CC9335,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:09.660{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:09.660{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265753CE8F8D0D65DD2995F061CA41B6,SHA256=1FF599351AD6AFCE906B0BC35189B3229CE2D97F70C37DD93B632865D211DCC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:09.578{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:09.218{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2343FA447FE1CA0E0FDA5CDFDF45831F,SHA256=4A9930803C2D99CD0E0190CEA13EEF0267B9356FA1E2E725FE6D43D76BC38C13,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000113467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:09.265{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000113466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:09.265{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 11241100x8000000000000000113471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:10.743{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:10.743{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F494A4FDBC1A574CC4C29A0BBC54DB8,SHA256=26347C94BA27F39A7FB547B897D8654BC66B6069E4CB5D9DCF3ABAAE8ABAC516,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.989{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C68A-63BE-8901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.986{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.986{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C68A-63BE-8901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.986{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C68A-63BE-8901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.985{3EE3745C-C68A-63BE-8901-00000000A802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.297{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8848BABED2BC244641FCDEDB3793713D,SHA256=E83AEBC4A4FCE7FCC0D22D75C27E5C06C9032D7F593FEADD089391A267228277,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:11.823{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:11.823{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BC75EE0BCB971C3C3ECAAF8BFC9C54,SHA256=534B59F36BCBCCFCDFA521B6E8133A41681227C37815AB59FB2D98EDBBC4D1B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.861{3EE3745C-C68B-63BE-8A01-00000000A802}20243700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C68B-63BE-8A01-00000000A802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C68B-63BE-8A01-00000000A802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.658{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C68B-63BE-8A01-00000000A802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.659{3EE3745C-C68B-63BE-8A01-00000000A802}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:11.377{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40242A9232D0FD55B7E3C286567A0414,SHA256=2AB31AC614A039648F71C0E20D31261BCC79D1218296B6C3FBD42E0CF8995081,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:09.152{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50095-false10.0.1.12-8089- 11241100x8000000000000000113475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:12.932{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:12.932{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D73D876EEBC8FF9716D8E217A5F034,SHA256=0E10EB0940F969EF4D0B77136D9A111D28E1314316CD399B822215B409906303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.545{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8789EB1C61BA7C6F1F781B0E08672D2,SHA256=2B2DF6AE9D8FFBA3B9B1471DF39007FA7668BF418D62A591BE47CAB6A9C0A441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.295{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9941D8FA4F1746E25E57E274A7D5F1C2,SHA256=15525320FE509A9F2FB48D86C0D32AB5596A378514A0366EBE6995FF0C1606AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C68C-63BE-8B01-00000000A802}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C68C-63BE-8B01-00000000A802}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.186{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C68C-63BE-8B01-00000000A802}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.187{3EE3745C-C68C-63BE-8B01-00000000A802}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.049{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5CE543EE9F4909098465A66A418676F8,SHA256=61BF2961746B1F8C7EA11294C5368B9357EE6093851698421D6BC1EA6118EE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:12.049{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA0C3F338951D091E6A3D82B3E3CC3FC,SHA256=B3016CC85E87B4A4FB7C30F6DE7C8D825A5A2E2C05D526449FF56155BFE20AE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.992{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C68D-63BE-8C01-00000000A802}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.988{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.988{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.988{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.988{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.988{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.987{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C68D-63BE-8C01-00000000A802}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.987{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.987{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C68D-63BE-8C01-00000000A802}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.986{3EE3745C-C68D-63BE-8C01-00000000A802}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:13.579{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3377C3D49DE39DB459DF0BDB9E42BDBD,SHA256=8A52094DCC31DD27A0CDFC99117015D3E194A54727931A42A8C09A864EE5B85B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:12.026{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52091-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000042277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:10.639{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50096-false10.0.1.12-8000- 10341000x800000000000000042307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.844{3EE3745C-C68E-63BE-8D01-00000000A802}14042784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.670{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454969350D5676E63573762A3582E3E9,SHA256=C229EE1E51B51E08CBB473C027034FA4A7605244DA3279C0179AD903F7BE8442,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C68E-63BE-8D01-00000000A802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C68E-63BE-8D01-00000000A802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.654{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C68E-63BE-8D01-00000000A802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.655{3EE3745C-C68E-63BE-8D01-00000000A802}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000113478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:14.000{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:14.000{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E848939076DE709F29267AA1497163,SHA256=134E2FF47C73E4CAB69E7101B6C4533627FD4FBCD6CA56E0B4B749CC514E01FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:14.169{3EE3745C-C68D-63BE-8C01-00000000A802}40323100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000113480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:15.096{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:15.096{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87D13C4C9ABD8AF0D475200CA0D7D4A,SHA256=3E5140D18372D680EEA5D2E20A195A4387E0F21BB77773B88E1D7B3E8DEE4408,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.501{3EE3745C-C68F-63BE-8E01-00000000A802}24562372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C68F-63BE-8E01-00000000A802}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C68F-63BE-8E01-00000000A802}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.329{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C68F-63BE-8E01-00000000A802}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.330{3EE3745C-C68F-63BE-8E01-00000000A802}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000113484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:16.308{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:16.308{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C0736A3EF981FD502A3BE6FA93F1D1,SHA256=BB6897804674112FE1E65D939868F93AD3E90AEC18B7B87E85297249863D07D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C690-63BE-8F01-00000000A802}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C690-63BE-8F01-00000000A802}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C690-63BE-8F01-00000000A802}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.458{3EE3745C-C690-63BE-8F01-00000000A802}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:16.088{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C86ED6864BB1C9133FCAD3917FAD05,SHA256=53DF41D0373BA938309A44B2014C0F960BB5E1F0B023FAC3CB162BF17E1C0003,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:16.183{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000113481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:16.183{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:15.648{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50097-false10.0.1.12-8000- 23542300x800000000000000042337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:17.480{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEDC919757222A90BAC2D50A8C0DA69C,SHA256=68D1E4220CD8B015B0DD6D73489B2A69E13F6563F283E674635589184D722E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:17.167{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F16F466309C1BD89AE0B427636879FD,SHA256=5546DD0BC6A51CEFE4C082EC878BFA4D6400014EBB79856451BEBB1FE3E754C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:15.972{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52092-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000113486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:17.396{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:17.396{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024AE89E6B05C871F94D42BA3064F7B4,SHA256=E03714F640B3619CEE46F270B75455F8F9FF944CF02EA31286AA253E89D6AA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:18.462{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020E54DC555F271B7FCE234D082745E4,SHA256=C1B9D79D71FB1F91913E740E30E6BDB3FB4B62E67B04FC2CFBD0C102F425210B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:18.473{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:18.473{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BBC56BAB3A8844B6B3FA4F45D993E4,SHA256=213B966A4D3022D315FCE22C55C49C085EA204CB47D40EA7FA38873FF67176AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:19.560{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5506B7F7F1919631601E39B3D833A94E,SHA256=AA68766EDECABE476664CD99DDF0DC182F398F6931C8EBEE39BBB716C5156F38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:19.561{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:19.561{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE2955A50430BE69F1EA92D1863570B,SHA256=DF0ED1D5196B1A3F4689051D364F1E20C8CAFCEAA6CF944923388A43C3783AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:18.023{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52093-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000042341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:20.647{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D9C3A449CAF0E0C9A86C5BB013A70D,SHA256=78E6BD22294392E613A27A85E39AA6E8DC7F23713D14B2624831817FA29720EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:20.532{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:20.532{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086AD42160363885BE2EC85F330124A3,SHA256=5D79531822B01E5580C8FF8A3B3EAEA8A1191121C5B5BA297175549847BFAF8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:21.737{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1AB42403016D2689F323B979383FBA,SHA256=78C50E1F1932994758839F6ED1EC82DB08E6BE93AF58C90D78801CADFC172DBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.921{7DAC9CB3-BE89-63BE-0D00-00000000A702}896916C:\Windows\system32\svchost.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.865{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.863{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.854{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.846{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.837{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.834{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.830{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000113515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.684{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.683{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA9FC02C069C86F8942B890D04E8CF3,SHA256=FA2985E2E499AFDDC0C1681F200C91166715EDDCFA0C00B355DAF6081C7A9220,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.281{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.250{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.245{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.241{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.238{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.207{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.190{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.185{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.162{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.149{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.140{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.130{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.115{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.101{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.086{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.066{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.012{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:21.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000113559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:22.927{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:22.927{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687FFB408D860208170837BAE051B734,SHA256=C266BFA280C9AAD91E9D1B1452F415C58F01A73B1E6699E3853BE98787CC66D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:22.919{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF04485534EF9EAF4B9CF1C8B452963,SHA256=59A4A43A972EFE1383362B70D8C994DEA4E17FB38A26B3571D49113CC6393CAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:23.911{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:23.910{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:23.909{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 354300x800000000000000042344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:20.704{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50098-false10.0.1.12-8000- 10341000x800000000000000042374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.649{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.647{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.644{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.642{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.641{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.634{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.632{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.631{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.629{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.624{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.615{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.604{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.601{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.591{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.575{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.570{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.551{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.543{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.510{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.501{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.494{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.484{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.472{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.454{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.442{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.433{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.424{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.415{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.410{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 23542300x800000000000000042345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:24.007{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4EEE42EF780593FCB24C0D66457C90D,SHA256=3A0A8A793EC4A7E6C2190FAC09914310215CA70BC304CA4A00CA5587F9EF2690,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.576{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.576{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.572{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.569{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DD01-00000000A702}1824C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.561{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.556{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.554{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.552{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.548{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.528{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.510{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.474{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.456{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.444{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.437{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.434{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.431{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.427{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.423{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.420{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000113565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.416{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000113564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.033{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:24.033{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2873A4BABA7884C6A1111BD7831633E3,SHA256=4EC3E9C436D8A300639A9C1A1C80BE270D8E2072E6986834DD49544ADAEEB7F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:25.360{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E350F7A195F904F6F28538668C55A4FA,SHA256=CD3E2DA9296143A75BB093B1EFFE9C1B0FF389A5F7506B363EC067B7AB62DF3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:23.965{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52094-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000113589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:25.112{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:25.112{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC83C4351CE5F600A3EE0AA5C4CD2E48,SHA256=29E973E4CC547F03D578EE05C96469F8D3BCCC8AFF7746897B08BA59C32ED208,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:25.024{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000113586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:25.024{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=070432E7611488AB3411E65C851BAC9F,SHA256=E125B826FC5BBAD0CABE3DDF288A2F73A36A99BE89C86E32A79943C24C53447D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:26.488{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE62B0EC40F48C17EE700DBE090DEB4A,SHA256=90F3D64DDBBB5C2750DFF1DEBB85744B5DA27707D0E70D2E8D03B61E627A83FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:26.200{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:26.200{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B808AD1F00ACD69F3881F6B3CBA9D6,SHA256=2FBA48180A501E8426B909933EDBA0890C353A03EB1026DF5065322B99A86DA4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:26.032{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2023-01-10 09:30:10.975 23542300x8000000000000000113591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:26.032{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A1AC41BDE23F00247CED76F4220EDA2B,SHA256=2298931D9E38DE31245743A37357C5FF325827106DB96EE9EA39968EC23E5425,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:25.704{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50099-false10.0.1.12-8000- 23542300x800000000000000042377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:27.688{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301DD32C82BE22CDF9428A1E179BC2A0,SHA256=29F5C47D8D54DD0AC2C65C6334AF506CBC9A9D81BBAA4B7277218B53D9A7B025,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:27.662{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:24:27.662 11241100x8000000000000000113596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:27.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:27.275{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76236AF14B34EF5EB96258CE01D834BB,SHA256=F1DC4BE051AF92C47A1E848E40129CCB9C6CFC49682E7C3ACD455C4CBDD6276F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:28.774{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7B3805719F4A3005B43FBA2136BAB9,SHA256=6C3F70C951DB41DAA9701A1CDD747625E487BD12EE8BE7840D2DBE9F2BBD59E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:28.454{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:28.454{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7187422F832FCD8ADB36EE4DA22084,SHA256=5927EE61606EF4871C614D49011795942459B45A085F9CDB96DB861DDE00F757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:29.869{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFD3B44462DD622B5E614A2058E1219,SHA256=16C92C19BBFAC645930B42F308BBDCFFF27111FAA6D13AF1CBF3B5E079EF7A93,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.658{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.658{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A333E57CDFFA97390C1DF97F4F3D54,SHA256=965F2E365E528B6C3585F2B9E7B78608D3CB769427E716B33C413B367B1AA199,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.309{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000113649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.309{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.309{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000113647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.110{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.110{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.110{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.110{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.110{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.110{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.110{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.110{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000113628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000113625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000113613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000113612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000113611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 10341000x8000000000000000113608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000113606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000113604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.094{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.095{7DAC9CB3-C69D-63BE-FD01-00000000A702}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:30.943{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC53373201A44D99DDAB99D12A02AFD2,SHA256=9EC1874FCFC973FF3666DC9D028936704FFEC05BE222E9C74D7AC4D81BAF28A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.953{7DAC9CB3-C69E-63BE-FE01-00000000A702}58001952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.953{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.953{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000113707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.859{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.859{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451648991623783F4AA688F805088750,SHA256=81047ACC217048443CBE00304B8A80969AD128A50A6DF8C497264C3B08A790EB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.765{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.765{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.765{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.765{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.765{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.765{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.765{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.765{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.765{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000113696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000113684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000113683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000113681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000113669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000113666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000113664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.750{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.751{7DAC9CB3-C69E-63BE-FE01-00000000A702}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000113657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.719{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=91414F6D6709614585FA9494155B3E49,SHA256=B3CE7B40F1B0C513AEB18B0BC5A4FE770B3A31A82D9E0D6F3F9C73C9871BEB30,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.197{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000113655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:30.197{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBF364FF6C3F3C6C63D298DA3020D566,SHA256=06B84E8A8ED82BFA21B42E7A5A97AE595B878D1A3EC30107B99B6CC467B1E290,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000113654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:30.060{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000113653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:30.060{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x8000000000000000113775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.861{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52095-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000113774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.861{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52095-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 734700x8000000000000000113773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.744{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000113772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.744{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.744{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000113770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.540{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000113769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.538{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=541B3387232F86E3080A4FA9D09FEB3B,SHA256=88DCBB77BD4010F6A7DC0D271755FBE364C0E021B48A254ACB4669EE2EE1908D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000113768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.512{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.512{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.512{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.512{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.508{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000113763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.508{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000113762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.467{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.467{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.466{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.465{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.459{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.459{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.458{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.457{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.452{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000113753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.450{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.450{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000113733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000113731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000113730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000113728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000113727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000113726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000113725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000113722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000113719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000113717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.430{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:31.431{7DAC9CB3-C69F-63BE-FF01-00000000A702}2240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000113782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:32.984{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:32.984{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06E4A5BC86EFC84344910817B3BAEE5,SHA256=FB5FA684B518B5AD7E118FD13EFF2B9F445AA8F343381F985557F2FAFF7A28C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:32.249{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92453C815572FA88F980D61A24605113,SHA256=1600A70CC69FBC90D484749EF26CD223B0FE705A5AC4BE717B90AE3F98CDE972,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:29.950{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52096-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000113779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:32.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:32.274{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039C0CF086941EC668DF5464839C2ADE,SHA256=645F428E093933814A1D5E68E0D7D7C509CA7BC989F33E8324EA6750B50525BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:32.010{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:32.010{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494C1B6E43A4EE8876E73F1C5A4A7BC3,SHA256=66528A0F89291F53B80FE183A89E93F21CFED698C1175B2A7D22FB77E58EEA12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:31.698{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50100-false10.0.1.12-8000- 23542300x800000000000000042383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:33.434{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E83400927EA431B4BE2A1F841445FB,SHA256=4B9BBFEAB1708FF6551E84BC6D890F5C2E63196B6C3A29E4CB534BFD71546BA7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.503{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000113832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.502{7DAC9CB3-C6A1-63BE-0002-00000000A702}51526624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.502{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.501{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000113829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.273{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.273{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.273{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.273{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.273{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.273{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.273{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.273{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000113809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000113807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000113796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000113794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000113791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000113789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:33.258{7DAC9CB3-C6A1-63BE-0002-00000000A702}5152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:34.634{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25C913611F6088B42503EA1806DC3F1,SHA256=5195B70EAC81B61C95C6F1EF51897FF24761C39334856B5B888F6E54A1255693,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.852{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.852{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.852{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.852{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.852{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.852{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.852{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.852{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.852{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000113914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000113913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000113902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000113899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000113896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000113894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.836{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.837{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000113887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.491{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.491{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5731ACDC839DEBCABC74AB7E9E4026F7,SHA256=511120BDAA03444D851A3234C6ED7B53F23B13A6B9B5094DF5ADE113CBFF81E5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.428{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000113884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.428{7DAC9CB3-C6A2-63BE-0102-00000000A702}48884656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.397{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.397{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000113881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.179{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.179{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.179{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.179{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.179{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.179{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.179{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.179{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000113863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000113859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000113853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000113847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000113845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000113842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000113840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:34.163{7DAC9CB3-C6A2-63BE-0102-00000000A702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:35.716{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58321C1840696393A390457A7856C9CE,SHA256=ACD790BF2113019CBCDF03912620B94DCFD2A2F87395BE36CB3115158A554D64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.922{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000113943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.922{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A65252E805E29AA25517278718D2780,SHA256=3528F9B9ABC58D9FAD23E01D3B3200F31721CB167A093BA56DEE8463A6D886A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.329{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.329{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14705DF0CAD905A423C8B733C4A0E00D,SHA256=0D19D22D8DF414A27FB2180E6D3AE046A2AFC7C52A0071986E8B49F6075E65F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000113940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.115{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.115{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFA8D2F5173A4062B168FCFB1125E19,SHA256=A9B33A6FAF18C63782E6E014BD981D86AF8A2ACED3493F873FB7BD809C8B28E0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.020{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000113937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.020{7DAC9CB3-C6A2-63BE-0202-00000000A702}35683352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.020{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.020{7DAC9CB3-C6A2-63BE-0202-00000000A702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000042387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:36.792{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669EE4BAC24341882C35F300B7EF77C2,SHA256=94DF95D584AE9F55523E866B32D399BB39AB916CBC15080F3F4FC48665254FB9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000113997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.761{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000113996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.761{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000113995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.761{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000113994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.563{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000113993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.563{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000113992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.563{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000113991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.563{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000113990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.563{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000113989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.563{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000113988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.563{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000113987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.550{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000113986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.549{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000113985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.549{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000113984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.549{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000113983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.549{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000113982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.549{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000113981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.548{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000113980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.548{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000113979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.548{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000113978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.548{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000113977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.548{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000113976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.548{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000113975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.548{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000113974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.547{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000113973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.547{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000113972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.547{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000113971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.547{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000113970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.547{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000113969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.547{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000113968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.546{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000113967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.546{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000113966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.545{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000113965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.545{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000113964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.544{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000113963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.544{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000113962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.541{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000113961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.541{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000113960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.541{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.541{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000113958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.541{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000113957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.541{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000113956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.541{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000113955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.540{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000113954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.540{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000113953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.539{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.539{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.539{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.539{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.539{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000113948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.539{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000113947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.538{7DAC9CB3-C6A4-63BE-0302-00000000A702}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000113946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.386{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:36.386{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFBC02F0CE2E700DF563D3D16EB6D0D,SHA256=4E629AAD87AA7AC5FCE7AE755494179E7A4B45C70DD6AE5B20B91B9803341934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:37.855{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190EBB59649569FB1D6B874321B80657,SHA256=94B5A5B49D2A77D31A9A9BBC7ADC828C6AC0A64ADADE07FC5977C56067E40011,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000113998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:35.957{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52097-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000042389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:38.926{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E09297D2E2E8F32DA6EB4DCF3C57B6,SHA256=5DA5039E16C3B8D9C142E1C08DCBAF27E174A3F0E3D612CA24A65FAE7C85CA34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:38.906{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:38.906{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F565A578AFC005F51B1487E77E71EA06,SHA256=7C6F71AD72450F7FC5B93CF13379E0CDBCD5D6463E3C875CD891E1CA52A69CA4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:38.115{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000113999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:38.115{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071BE75682516E11397011ACB569A1EF,SHA256=8AF23562B6598521FDBD1E440E84A480D6F00554595EC9F8F810A82D83CBE68D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:39.995{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:39.995{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED31723967C93A21EABDBD26CCC4DF57,SHA256=0A746B7673103E28834B8CCE38DC22F361733E9C43637AD6364D941296C7BCC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:37.675{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50101-false10.0.1.12-8000- 23542300x800000000000000042391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:40.023{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1EAB16C3CE670FD8BC7028DDAA2D84,SHA256=35ADD844D4D371E585B1D04E3E59C12D731B6FA4C9E926EC8A5AE49F0FFF61E3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000114016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000114015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001fd1ff) 12241200x8000000000000000114014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x8000000000000000114013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925c0-0x0f42f502) 13241300x8000000000000000114012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c8-0x71075d02) 13241300x8000000000000000114011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925d0-0xd2cbc502) 13241300x8000000000000000114010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000114009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001fd1ff) 12241200x8000000000000000114008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x8000000000000000114007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d925c0-0x0f42f502) 13241300x8000000000000000114006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d925c8-0x71075d02) 13241300x8000000000000000114005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:24:40.871{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d925d0-0xd2cbc502) 23542300x800000000000000042392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:41.211{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3823F17D7311916F374B8F9C1703CD,SHA256=5560D10A69655597A9CCF28BECD9B6E4EADEB1D6714D49A676F6D0C960297553,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.819{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.816{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.803{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.801{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.796{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.793{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.789{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.246{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.230{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.225{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.223{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.221{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.220{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.199{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.194{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.189{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.169{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.151{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.144{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.134{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.128{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.117{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.110{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.103{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000114020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.089{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.088{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630B941989BDAEFF54CB2E5D63D6C913,SHA256=BA931077D80AE9EED7FD21FB345150410B8175C359D94B21A71BBFF933F974A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.056{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.050{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000114046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:42.522{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:42.522{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCA031C406BE710A1A59C918F48F6B0,SHA256=240B1CAB66516CA804FF87BE6E9E942EDCD1B0D9089B280923A717686830F4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:42.461{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BD1A3E3CFB46292BB4D8E0267D978E2B,SHA256=30B8ED971FE7615B263264F0FEFDE22267F353731B240CC9093B63D205E35258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:42.289{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E552A030AB842894F49FBE01DEB2774,SHA256=5D6E2523587C1B1C0B89CBE997051A9622DB170BA5609D33E01DF3B4B61ECD41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:43.375{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A8E10904726230FF10127A06CEA81D,SHA256=6871470B6A750CAE7E44CD3A05136D83AB759C66EA891906B14B7283C572ED14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:43.855{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:43.845{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:43.844{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000114049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:43.625{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:43.625{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C1EF05C40161259D24734677D5D964,SHA256=355888BC0BC05A52FBD62091B2A106A85D242706E9C97EB9211349580DE1F0A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:41.829{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52098-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000042425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.611{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.607{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.605{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.603{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.602{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.599{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.597{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.596{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.595{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.592{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.586{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.579{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.574{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.560{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.549{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.544{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.529{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.514{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.487{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.480{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.474{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.465{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.458{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 23542300x800000000000000042402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.451{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A81EA429B940456FAA220D0F233A0E9,SHA256=A291063FFEB8432E1139B3CD1294B56920D1C73BD1C0893A837B2D21B97F96BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.451{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.443{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.436{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 11241100x8000000000000000114074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.690{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.690{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FB7D88F8559E713C788088F62FB104,SHA256=707D270CA8B93CDFC401BC2F00B94513AE93720C9C2967EA2E986256A9074482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.426{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.421{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x800000000000000042396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:44.418{3EE3745C-BE85-63BE-2100-00000000A802}15521276C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001923F390) 10341000x8000000000000000114072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.474{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.472{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.470{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.467{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.465{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.464{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.463{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.461{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.447{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.435{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.407{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.398{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.387{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.381{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.379{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.376{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.373{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.371{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.369{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:44.367{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 354300x800000000000000042427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:43.656{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50102-false10.0.1.12-8000- 23542300x800000000000000042426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:45.526{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A42CFC446594F800AFDCAD065E228C2,SHA256=A0FAA88D02F0D695487BC35D415FC599FEDF0F62ADBB37066055D72BA8D52CCD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:45.802{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:45.802{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1D195EE1DC8C43828F12562EC73199,SHA256=957664BCF983D5B1C6B59F086ABBD2AF95488325DB1E3BC3A0791E3474AA93D8,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000114097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.016{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.016{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.016{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.016{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.016{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.016{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.016{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.013{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.013{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.013{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.013{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.013{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.013{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.013{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000114083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:45.009{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000114082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:45.009{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000114081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:45.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000114080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:45.004{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000114079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.004{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000114078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:24:45.004{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000114077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:45.004{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000114076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:45.004{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000114075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:45.003{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:46.824{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01F842A77F3D5862406065165D6E39D,SHA256=9F88FA9A84159D9C0E93F9A5E5583F404A66E6F5E71E8BF03E71D5B57A388FF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:46.886{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:46.886{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4A7CD9ADA488BBA90F4FB9654B5D31,SHA256=1FFA88AB785F70F3A094122E265A20B7F06CE2FCC8CFA765181255908A3A0EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:47.907{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2096A966D741AB31ABC3256997E1495,SHA256=0F0C59BE802C9E9A1530FC61D6BD06EC0624BC2ACC40ADE09112A3D84376C0E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:47.971{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:47.971{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F4DD1DB29D9B665CE5B9D5224F4566,SHA256=8EB647AC9CBEF5DA5AA57A22E1E5AE30CC838C7B23C9ED1436DB91DEEF2B52EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:47.022{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52099-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000042430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:49.016{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39756C3FC502F465647D2F0914AB874,SHA256=E45DCD49B7543E4A3E0E3C32F5E22B113D016B7333171FE70B994B17ED46905A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:49.064{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:49.063{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDAF71162C1E008F1083F5D9E265B70,SHA256=E1B142C1CA8605A89B53C5A008553BFACFA8CFF54B038A5C02EDBADBC2E0255E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:50.838{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-033MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:48.683{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50103-false10.0.1.12-8000- 23542300x800000000000000042431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:50.104{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51DC50FCB4C0D253F881E174072083B,SHA256=41E0C9C230DED577EA187ECFCFEBC121D70CFFB6B6732169C90323B55B0FA8FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:50.253{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:50.253{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED433D412512241E610B82A10950A132,SHA256=8A91F0D9FFDA922F1167FB89AAC262B002361B3EF27FFAD08063CB8F97CE24D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:51.841{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:51.183{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1459C2F61F2D6C21DA89DC2E422E4878,SHA256=29090E2C72B7CF76367344AD8C2198EFF74A372DC2B1FDB45B5CDB90A1433BDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:51.342{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:51.342{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5808357816CA82D917128C50768F9D0E,SHA256=102D10CC499CCDA575702185957C2BC00C1F0478DC2A5D8055DF6A5EF62946F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:52.381{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DA47F36D9951C352CCBD213010887C,SHA256=60F66A95589330DEBEF55FC25C8B833E8D57697EFEA0DA3991A699F0652525F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:52.430{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:52.430{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F851E4BA28629EBE52E8B345AB502B1B,SHA256=F2EE9B1CBE7D62E3E55ACDEA1A29F70E38670FBBFFC1D0D29DC1AD1DD8024405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:53.567{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08901A94894510880C960518FA0E4BBC,SHA256=5A9B886E50B29B2FB065752D1234D7BF0CFEA52C5E5671C44581ACD5468CC3DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:53.517{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:53.517{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8FC649C51CA49214537AE1D7EF469C1,SHA256=47204305C9876654490C4788C191DC13D06A41FA354648EB79A83121E1299D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:54.758{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E450A0BF3FD1E1EAF528C16650AAB0F1,SHA256=00F4165F3294F433BFCE6F2130423D70BE73A8C2FF2991224EFD658E459ED546,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:54.720{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:54.720{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356BA275AB58A6CC77F6CEE8D680B098,SHA256=0F90A140C1DEAF0AC06BA4B71C771F5FB1EA7BE598D331935300B36B9E33CA12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:52.885{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52100-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000114119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:55.806{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:55.806{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F00EAE7C38F33E06151D065BA13C95,SHA256=0EC42E639F2A7EA4FFDC071E74DE9DF80DF9CA7DC77FEC148E480FA9E76F6E3A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:56.886{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:56.886{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA1B653936A7B7C88909BFBE202D90F,SHA256=30BB61A3C0674EAABAFFFC3C3A7898EC8573167FD70F0660B51A114A54002074,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:54.645{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50104-false10.0.1.12-8000- 23542300x800000000000000042439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:56.061{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CD1005C9504DE7BB171210FB35C216,SHA256=A6270EA4DA977A1CCEAD2BEA7A18AEC44E2218AA7A1D8ECC905B8E30B5EBF98E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:57.971{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:57.971{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D914D0493AE727D2EE70CDE713BAADC,SHA256=DBE0C2CE241BCAAE61EBD8AAA63C930C3D7A6450022ADFC2FADF97DF02CB7AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:57.151{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D48C94E970FB614BB8E43FED6D121B7,SHA256=D7B70E3A9C6850178619C2EDA4AA6324F3D2235FA80214F4F9895B3ECA45D2FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:57.658{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:24:57.658 23542300x800000000000000042443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:58.339{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74016C15AE849E29AD455467A9C6E7B,SHA256=F3117FAFAC00379F68BDB3F3587233CA573F97F95AED0A6158A3FC52B35118E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:58.065{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B4D4CFD46765B2305E7DAE385CD272A8,SHA256=C25196DE4DEE2EC359694F35E628CFFEB587D0AD65E7ADA181ED05AF36CAF5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:24:59.535{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BA0B985A1BD156EB5A2206D344BEEE,SHA256=6CCF4A433E0015AA66228FC3B8B82B392D658FDA075152E50D538C5E1AB6766F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:59.072{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:59.072{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC1A099A2E5E368BEF4B72F1E3C475D,SHA256=B0B9C6DC5FE4AA1A62FD05C02E505FB5743A9E5D302F1F4DEE645644DAF7B73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:00.645{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6AAE3B2AB566132F35E93632092B8B,SHA256=9D3D5B9E885ECFD27B7A9431892B8004D72C6E6420650F17A3557AEC7F61C122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:00.908{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5AB80D48EBBD283BA20D493A1836ACD3,SHA256=2B13DB921A218BE5CD19304FCBD175D78D3A856AB4DB450AA33D63546F6256A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:24:58.887{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52101-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000114128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:00.172{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:00.172{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44F66A33659AFD8BF3DD4CC0979544A,SHA256=A08344326E7B178319EC00D01272E7B179F9D6E51756A4D58E50E237BB37CD67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:01.839{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B25528A30614D68538300DBE2CF4202,SHA256=6313A754542584487C6D2A8E084F5BD1CE1614C2C1D4A2D2DBC7BFDA35BE4B52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.274{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000114150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.251{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.251{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877FECE87118E50EEAEC394808AF2734,SHA256=951371CE7AC0B1CE0015F3370CFFFDF370238D153E49B28A91D87DC64128AECE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.246{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.228{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.226{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.222{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.217{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.180{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.168{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.159{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.141{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.130{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.118{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.108{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.098{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.070{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.057{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.049{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.002{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:01.000{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000114162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.281{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.281{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA3B035D84820A4AAE4BEDFDCBCCE88,SHA256=7EE831C442689DAF2A1DDDA8D95CA76B7FF9465079564A5C65194D837019E3F3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.171{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2023-01-11 13:51:01.788 23542300x8000000000000000114159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.171{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E819B00E6FBE5405B87A929142B21CC2,SHA256=2F3A36F1495486174B9A2FDD20EEF90A6EEFE3F7E624E3EF884DA3507ECD8471,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.061{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.060{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.056{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.053{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.047{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.036{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:02.029{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000114164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:03.387{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:03.387{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6128661537EA61863B23DC2D8D66437C,SHA256=3E3627C216D6C8E437026B0201627A59085637A23014DD20E663B4ADA2954D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:00.638{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50106-false10.0.1.12-8000- 354300x800000000000000042448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:00.217{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50105-false169.254.169.254-80http 23542300x800000000000000042447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:03.139{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA68F40456275394CE46AB849F073D9,SHA256=61C7D84605CBFF3C2757B2737551B0513F025F579FD4F0D4796A0C1F50D7459C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.879{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.870{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.867{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.858{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.855{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.853{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.853{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.850{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.814{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.785{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.694{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.685{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.659{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.647{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.645{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.640{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.633{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.630{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.628{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.626{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 11241100x8000000000000000114169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.469{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.469{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B98CD98D2F2BDD9647D5955111DB65,SHA256=615B2BBB0537DBC6A92B7DD4DED52E7DAA140A26302199C7127A8ECA67AE8EA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.692{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.689{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.686{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.682{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.680{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.676{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.674{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.673{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.671{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.665{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.653{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.648{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.644{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.634{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.621{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.619{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.601{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.591{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.554{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.544{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.536{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.523{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.512{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.504{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.477{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.460{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.446{3EE3745C-BE85-63BE-2100-00000000A802}1552340C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013900190) 10341000x800000000000000042452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.433{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 10341000x800000000000000042451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.429{3EE3745C-BE85-63BE-2100-00000000A802}15522916C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000139803D0) 23542300x800000000000000042450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:04.235{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCDC5073069035D9254DAE3BACFE570,SHA256=9992249202ECD96CB80142BB98DAE1BF84D67CF53A8806093525E5117A3A4EE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.106{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.102{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 10341000x8000000000000000114165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.101{7DAC9CB3-BF9C-63BE-B700-00000000A702}58401392C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001CBE8190) 23542300x800000000000000042480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:05.399{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D993FFA855DBF2C75059F42C8BD21DDB,SHA256=C118C4540A2460CA0CADB909851471805F64DBB48ADCA565739CE083F963375C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:05.534{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:05.534{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8E50E875E222B022BA1807FE2735BC,SHA256=463EE932F2CFFE5AE6573EFEA00F4E67CC4DEE40674026238B7C85C2CA284BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:06.722{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636DB6492C9F1D9AEF36625FEA8FE87E,SHA256=62184F596E7106B90147571EAE12A9A647CAFCAF37A35C1D4AB586D534CBC65B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:04.868{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52102-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000114193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:06.637{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:06.637{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF1986722FBE4B85B0DAA403517632F,SHA256=C60E4E9F74EBA559FA45A072729EA487DFA1834D4E847084CF574B56732DB715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:07.820{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:07.788{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4515F83CF39F01400AC390B5AEA49CEF,SHA256=5039B3D6537202BB8D6842CBE288825312437434472244EC3E4A9A6D182C5E66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:07.816{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:07.816{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF789BBF273180D4C7D6F109905CF99,SHA256=48EE730F46AA2C18D76BE15A91C00CE25027C4B4B957F22EAE96EC4E44B3C6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:08.871{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAC4900A26CC45C5FAF5F510CB74305,SHA256=D764B101E0F117955AB60C07F0351E57B9C17C3DB7DC90259F8AA950DB1F3D83,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:08.879{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:08.879{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F82AF13BA42B87627C98528B52C5649,SHA256=6982E1CAD8F7CF17C5ACC10924EDC275F6FB2159BC9215AC356233E4549E3FB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:05.760{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50107-false10.0.1.12-8000- 23542300x8000000000000000114199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:08.328{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-033MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:08.326{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0332023-01-11 14:25:08.326 11241100x8000000000000000114197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:08.325{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0342023-01-11 14:25:08.325 11241100x8000000000000000114204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:09.961{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:09.961{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB88A748BEAE31427B693C444AEF4AA,SHA256=E77C8AF02AAD7824740A0B6F4C4141649AB719F12962BB629A96B7A451F272BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:09.597{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:09.329{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.986{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C6C6-63BE-9001-00000000A802}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.984{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.984{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.984{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.984{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.984{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.984{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.984{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.984{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.983{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.983{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C6C6-63BE-9001-00000000A802}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.983{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C6C6-63BE-9001-00000000A802}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.983{3EE3745C-C6C6-63BE-9001-00000000A802}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.168{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED260D6B0E7464562BD71EE85F0402F2,SHA256=13DC7D21F9F8A7CDA8B932A7365EE0DE7164B2744A79ED6430B91763B7B29557,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:09.900{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52103-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000114206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:11.046{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:11.045{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1062D03D1D32CB97219B467874EFCAC5,SHA256=F4801ADF4DB9FA43BD9B6AC49BDA7B15DB2D20864D41C747550B85D04D7EE0D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.890{3EE3745C-C6C7-63BE-9101-00000000A802}32442880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.734{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=52D42E33AFD5F3BB0C904FF9F25C99CA,SHA256=4E4A3FCCCCE57E7F57D72DE088D5C8E13A8386F99842F7990A6DC7812A686E93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.655{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C6C7-63BE-9101-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.654{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.653{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.652{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C6C7-63BE-9101-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.652{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C6C7-63BE-9101-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.652{3EE3745C-C6C7-63BE-9101-00000000A802}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000042502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:09.169{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50108-false10.0.1.12-8089- 23542300x800000000000000042501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:11.249{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA719E4680163796B189563E67FB492D,SHA256=024D7B0DEB14ED5CB92A9029016DBBA3348C72B95B815BD8C78114C311B2E3BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:12.338{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:12.338{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFDB509BC7AE8C4BE8C41269C42B054,SHA256=683BB161DFF2FC77F1AC80F68918B28CBEA395992FE6DA4213E50A6E72B9E524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.665{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B73011652FA0B4C9A7FF320598E85867,SHA256=6F50B3D2A8913915B575AAC73156F5551A36C414DDA5F7CD90E0B1EBC7561F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.355{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E01E6B902770453E171AECCBF62E95,SHA256=510790222F74680AC530CBFF5280372114EC381001987F8D5413F07A687449FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C6C8-63BE-9201-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C6C8-63BE-9201-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.324{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C6C8-63BE-9201-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.325{3EE3745C-C6C8-63BE-9201-00000000A802}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:12.058{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68A227FBAF768121322E8CB63E06A614,SHA256=046F8E3E528D18CC5DCF75404E3B414378A32C7A55C8389CB4D2A80F9FBCDB39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C6C9-63BE-9301-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C6C9-63BE-9301-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.994{3EE3745C-C6C9-63BE-9301-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.434{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9751EE2FA25527A68073E8DD5E382C,SHA256=B8627D8B547EC06832DF5FF2F0A3EFC8710BC3801EFF6BC932B98E868BFF3D0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:13.416{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:13.416{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27954AF2C23D6C154BE332A4BAAD4FBF,SHA256=480F473272103C1B8FA3CF42A88611151F377A7F2A834E4BE6311A7B06E2C332,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:10.822{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50109-false10.0.1.12-8000- 10341000x800000000000000042563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.684{3EE3745C-C6CA-63BE-9401-00000000A802}7203616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000114213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:14.722{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:14.722{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE433BC6464D8185BE7D988BC652CB3F,SHA256=38DDBE5A9D41633856233C91EE3B1F95E2164F48AC9EF6FBF5DB1FE3DC0C9926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C6CA-63BE-9401-00000000A802}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C6CA-63BE-9401-00000000A802}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.484{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C6CA-63BE-9401-00000000A802}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.485{3EE3745C-C6CA-63BE-9401-00000000A802}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000042549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:14.218{3EE3745C-C6C9-63BE-9301-00000000A802}18921104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:13.993{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C6C9-63BE-9301-00000000A802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000114215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:15.793{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:15.793{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFEB17F778B9D0DE0242D8B125AA80DF,SHA256=4E140496143F0B65587A465AE7518ED1064A3A8255D5ADBE58468DE5ADBB7A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.731{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A634B55BAABFF70CBC59403684EE0637,SHA256=7A9190332A1A561E4614831B62357EB0A82DAAABEA6D01E05F9C1B17152A0E34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.356{3EE3745C-C6CB-63BE-9501-00000000A802}40883852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C6CB-63BE-9501-00000000A802}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C6CB-63BE-9501-00000000A802}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C6CB-63BE-9501-00000000A802}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.109{3EE3745C-C6CB-63BE-9501-00000000A802}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:15.106{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0408ED3BE1E01766A7534C466B12FB,SHA256=58CE0E7A1EB3BA26A2FA7FA99F9A52DDC7E622D0B74B987E8BD43373BCA8EEEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:16.881{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:16.881{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3AD89D95EB5C0722D7A94BA5EF900E4,SHA256=0C096E0BE292C8D4771AC88839C35DD53896E61BBF6D9C46878475A73B46F356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.829{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D1339C35B2A343B551DEEE4F67B86A,SHA256=13FF7DEE6FBF980C3BF9BCF272F7E6BE4858EF1BF4A922643BB287A10307F219,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:16.221{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000114216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:16.221{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C6CC-63BE-9601-00000000A802}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C6CC-63BE-9601-00000000A802}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.477{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C6CC-63BE-9601-00000000A802}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.478{3EE3745C-C6CC-63BE-9601-00000000A802}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000114221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:17.982{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:17.982{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5721EA9313E25CF485454E3FC7B1246E,SHA256=1AC647031E155246423E3817A84B4A2A780D24BFD4091A9527340BAAF088B68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:17.919{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825C6747DAC043BF9478EAB7B8CC638B,SHA256=F96916C37890813AB1A3593931C94517772A46A239BDDA274DCCEE68C3E95465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:17.583{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8264CA54581A5DFDFA6747377A811B0,SHA256=E19B12D37514D1B433DB10C09857BD45A87C8725D6F0F682D4577E8CE62551C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:16.004{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52105-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000114222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:15.905{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52104-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000042597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:16.829{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50110-false10.0.1.12-8000- 23542300x800000000000000042596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:19.094{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225FB40935B1AA09863176B61F17EA5E,SHA256=19EFA768EF984BEFC41DAFA65C29FA1C255A8DB1E088C20F7C50BB06DA1E0FD0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:19.075{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:19.075{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFA268BF4872E924E91AB30E68E9578,SHA256=A147C963A59504EB5BC2340AAB0E2BF71524EC7C6D28FBFF3C08CD0321B63DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:20.280{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6F0A3DF13BEA062B802DB0D55914E1,SHA256=0D59F975CDE80FDA7C388844AF2B26A5B2A092FCF02FD4A424F59D63DA19E701,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:17.912{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52106-false169.254.169.254-80http 11241100x8000000000000000114227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:20.159{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:20.159{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDD8A4CF92C7E17ABCD6390B988C3A5,SHA256=6A8D39D329137BF15B7E1594A7453B63AE3493AD5C500E26D5935FCF3005379A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:21.471{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2360D2CE7762D864E45C6F7FD5CE0BB,SHA256=DE4BCC122845AC413EBA959996EE771D159652D0FD7882782E44247C78A30C70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.877{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.876{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.869{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.867{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.858{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.855{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.845{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.258{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 11241100x8000000000000000114248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.238{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.237{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F15493E8E48944D7A1F8C09FEC43B5,SHA256=03B0571CB56941E26A6D27E8D78E7B3158934892395A3E8E639A337F2DEB0091,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.236{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.224{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.221{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.219{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.217{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.184{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.173{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.167{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.150{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.137{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.124{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.117{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.109{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.091{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.075{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.062{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.004{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.000{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000042600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:22.561{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3277A9CC932916E6C4B9B1174DA595,SHA256=361587F3FE9131041460F319412E03C5042751AC468732BB4BF494A06A51FD33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:22.280{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:22.280{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8014E2927597AA5BEBA5C4A4D3B0464B,SHA256=E55C75D217A9CDB44EA80A90B6B42B0E770BCB124308B227D1EA32534C0BA55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:23.645{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D84AB81FCD2EEC599F3B580FA45B56,SHA256=F177C7C22AD16A1521F638CCE9FECCFE2E52772D41D54242705F2E03231C0B3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:23.924{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:23.922{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:23.920{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 11241100x8000000000000000114260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:23.359{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:23.359{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4B459D45E373283917796805F9A8F2,SHA256=9DF8B671F2CC2DE0E97488CE74A94A241D78BB58237F70140BD62AA968BCF74C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.555{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.553{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.552{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 11241100x8000000000000000114283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.548{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.548{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB46501392F94AEE4439550383102EC,SHA256=B79386F238891AC9936D75E94724DEB8095776CC15D29C58F56804ACF9283681,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.545{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.541{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.540{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.539{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.538{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.518{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.509{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.478{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.470{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.458{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.451{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x800000000000000042630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.601{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.596{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.594{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.589{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.588{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.585{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.584{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.583{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.581{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.570{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.557{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.551{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.548{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.541{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.529{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.526{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.511{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.503{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.479{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.473{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.467{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.458{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.453{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.447{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.433{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.427{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.420{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.414{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x800000000000000042602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:24.411{3EE3745C-BE85-63BE-2100-00000000A802}15522488C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013438F10) 10341000x8000000000000000114270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.449{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.445{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.440{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.437{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.435{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000114265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:24.432{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405976C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 354300x8000000000000000114264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:21.895{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52107-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000114288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:25.536{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:25.536{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81B9D745B9978F543EEA31B38AFDA7E,SHA256=F7D2D7A027F0551E1238B6CA1794B38975F8AF354D8E0228DF7AD5DFFC9D4220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:25.181{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6884A4E10B547996B1A3DE13A2DA31D3,SHA256=876D5A519B10A93DE3EECEE521F5F17130A379AF5DF4A9C4AD0DB39AF2536813,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:26.656{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:26.656{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E880A02205BE0DC61C42F8A3A41ABE7,SHA256=73F309F4FD7120744B9E054717D97D175E1D30EE1705617019DB5B2378687526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:26.268{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4E7D618BA71F865A55096FF9FE133C,SHA256=8A0289729FEDAFA9C2CAAD7B0FBA86FA1411438209F28E9F8A47D0DC890E4AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:22.797{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50111-false10.0.1.12-8000- 11241100x8000000000000000114293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:27.735{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:27.735{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF870521737B1946C1F3692EF8045E12,SHA256=CCD1476EA41DA21E660BB868AD2E4257BBFDF55F367F9B75052CEA35AA8E8FC3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:27.670{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:25:27.670 23542300x800000000000000042634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:27.348{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1C3D10F5F82F91A893CD80D6AA4E4D,SHA256=E4E89325F0F4605F1EFCEAAC298BAE95CF69B8C062F03CEC2B489FA26DB35940,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:28.704{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:28.704{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6801EAEDA34F7DBC4CB55959F5508E,SHA256=6518ABAB97B8D13DE9E618A9DFFCDB962E079BD3F3E15D627FE2A718C2919296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:28.442{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BC65F30C5DFD0B5B7D6AE884BD1487,SHA256=5F8B99CFFD113FF4A559AA4D0D0E3EE690DE003FE3EA5B64D42E696AADF7AEEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:26.916{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52108-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000042636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:29.545{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DCCDAC17EAAFB167A3DF5BF05FC99D,SHA256=D1498BC37F91C9D3958ECB4A38615F514D81EEACE2C2B31748A17C7C77022ED2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000114347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.290{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000114346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.290{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000114345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.290{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000114344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.059{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000114343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.059{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000114342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.059{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000114341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.059{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000114340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.059{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000114339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.059{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000114338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.059{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000114337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.059{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000114336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000114335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000114334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000114333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000114332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000114331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000114330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000114329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000114328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000114326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000114325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000114324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000114323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000114322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000114321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000114320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000114319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000114318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000114317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000114316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000114315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000114314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000114313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000114312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000114311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000114310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000114309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000114308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000114306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000114305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000114303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000114298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.043{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000114297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.044{7DAC9CB3-C6D9-63BE-0402-00000000A702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:30.625{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4F95513902C175B604B880D88F62E0,SHA256=3D1CCAB873C659623084CAD09D8DACB4EFFF7DB76ABEBC4B95225C33317F3EF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.881{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.880{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.880{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.880{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.878{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.878{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000114403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.802{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000114402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.802{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000114401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.801{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000114400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.799{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000114399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.796{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000114398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.795{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000114397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.793{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000114396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.792{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000114395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.776{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000114394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.776{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000114393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.776{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000114392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.776{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000114391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.776{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000114390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.776{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000114389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.776{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000114388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000114387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000114386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000114385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000114384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000114383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000114382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000114381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000114380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000114379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000114378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000114377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000114376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000114375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000114374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000114373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000114372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000114371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000114370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000114369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000114367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000114365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000114364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000114362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000114357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.760{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000114356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.761{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000114355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A35301CE1A7D73F4F6D63B936D5495,SHA256=6192340FF3D2A7F78CC72D96FDC399163D5BA8DDCC99FDDBB0CD294F00E134F3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000114352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8B5AD8FE29FAF01821814F58F09789,SHA256=4935851E0F3DEDAE0F29295F58C8202322DC5B13D144CF2167E436592D8CFF15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000114350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:30.151{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F4CF62B8894C3677BEDE2D4DDB758FDE,SHA256=F1E842519A338F5528EF3624E46469E91BAC186BB3CF8A0756C8B41E6726D415,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000114349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:30.077{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:30.077{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000042639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:31.714{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1056DE6CBF8813CEA8A990835BDEEB,SHA256=F351D3B439AF3ABDCEB07A1EAFDA14AD053BBA25046C37E76EBFEDA0EAA263A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.876{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52109-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000114471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:29.876{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52109-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 734700x8000000000000000114470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.518{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000114469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.502{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000114468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.502{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000114467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.330{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000114466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.330{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000114465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.330{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000114464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.330{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000114463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.314{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000114462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.314{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000114461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.314{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000114460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.314{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000114459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000114458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000114457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000114456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000114455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000114454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000114453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000114452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000114451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000114450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000114449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000114448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000114447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000114446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.299{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000114445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000114444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000114443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000114442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000114441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000114440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000114438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000114437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000114436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000114435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000114434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000114433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000114432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000114431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000114430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000114429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000114428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000114427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000114425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000114424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000114422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000114420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000114416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.286{7DAC9CB3-C6DB-63BE-0602-00000000A702}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000114415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.283{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE96DF236F478CD5B6717317D28924B9,SHA256=5A72AEC49AC9B2526E5DC75EF7AE3972241D349C6F893B739AB9AE03B0143584,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:28.634{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50112-false10.0.1.12-8000- 23542300x8000000000000000114413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.080{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F38DC49D1E8DDAD22E5BD9B5F17C99EA,SHA256=6CEB4AA27F00A63C3F4BE1C47815C82281D3D639E5B3CCFBF408D9E4B5A13303,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.056{7DAC9CB3-C6DA-63BE-0502-00000000A702}14404668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.056{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000114410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:31.056{7DAC9CB3-C6DA-63BE-0502-00000000A702}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000042640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:32.810{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8182B6C715D035B0D4358E41F419F43,SHA256=B8B7912CF1E53427A394EC0DB7BE9A9BA0A5A0B493BD77EB71BD1C463227B238,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:32.594{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:32.594{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79556D617B9FD62E1CEB5FA47EF36F58,SHA256=21B85F54844F76EDDD4B94DFDCD52D9D091C4DAED610125E10FEFA6474490971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:33.892{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C341E48B001AE74F27C449FDE04F88F,SHA256=6DB50A3F34269E99AB91F878EA8C7F6CB429CC7EC0BE18CEDC02FBC8242166BE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000114526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.442{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000114525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.442{7DAC9CB3-C6DD-63BE-0702-00000000A702}69963816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.442{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000114523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.442{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000114522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:32.002{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52110-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000114521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.283{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000114520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.283{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000114519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.283{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000114518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.283{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000114517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.283{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000114516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.283{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000114515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.283{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000114514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.283{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000114513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000114512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000114511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000114510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000114509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000114508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000114507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000114506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000114504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000114503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000114502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000114501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000114500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000114499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000114498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000114497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000114496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000114495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000114494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000114493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000114492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000114491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000114490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000114489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000114488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000114487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000114486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000114484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000114483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000114481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000114476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.267{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000114475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:33.268{7DAC9CB3-C6DD-63BE-0702-00000000A702}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000114629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.925{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.922{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E599A63FF9F6194041312A4B15AF6224,SHA256=CBE86767903FD61FCEC9AE664D247C0AF8B6F7031D48C7DAEABB85290F654385,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000114627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.847{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000114626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.847{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000114625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.847{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000114624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.847{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000114623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.847{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000114622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.847{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000114621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.847{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000114620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.847{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000114619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000114618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000114617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000114616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000114615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000114614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000114613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000114612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000114611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000114609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000114608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000114607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000114606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000114605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000114604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000114603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000114602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000114601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000114600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000114599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000114598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000114597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000114596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000114595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000114594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000114593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000114592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000114590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000114589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000114587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000114583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000114581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.832{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000114580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.363{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000114579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.363{7DAC9CB3-C6DE-63BE-0802-00000000A702}50041216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.347{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000114577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.347{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000114576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.222{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.222{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68F7B13AC9843450E3F990B648DA6D3,SHA256=C824B65F1A0E82AE9D4B53FD9D01F8D65FC30650E12781EF4398B6F456070164,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000114574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.175{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000114573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.175{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000114572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.175{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000114571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.175{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000114570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.175{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000114569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.175{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000114568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.175{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000114567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.175{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000114566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000114565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000114564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000114563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000114562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000114561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000114560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000114559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000114557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000114556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000114555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000114554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000114553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000114552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000114551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000114550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000114549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000114548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000114547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000114546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000114545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000114544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000114543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000114542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000114541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000114540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000114539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000114538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000114536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000114535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000114533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000114528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000114527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:34.160{7DAC9CB3-C6DE-63BE-0802-00000000A702}5004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000114640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.908{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000114639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.906{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C8116AD20AA00F057C49F090AEE14A1,SHA256=ACC3B53B80A1547C93E174D10A8EFF0A6D3475AFD77E6A62B9CC7170218023CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.445{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.445{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB12737968A9E131E6C1693055B721F,SHA256=61AD0A9E6BD455DC8BE927A83A29273F64EF38D20D3AE4DCD110C55E36E7C6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:35.191{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093B116AA34C89965C50DAB4DC9A1513,SHA256=65F2A1E7C2672148B17A0133EC196BEE5925521CFE10910457E860BD2700B62C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000114636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.067{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000114635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.066{7DAC9CB3-C6DE-63BE-0902-00000000A702}57681252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.066{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000114633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.065{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000114632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.029{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.029{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:35.029{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C6DE-63BE-0902-00000000A702}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000114693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.713{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000114692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.713{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000114691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.713{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000114690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.588{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.588{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F9EDB7D17048B5A3560A78D260C244,SHA256=A425D6E923441DA0F7486C076E37BCC9BFCAB7A52E57D9E29743700149AD4052,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000114688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.557{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000114687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.557{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000114686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.557{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000114685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.557{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000114684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.557{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000114683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.557{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000114682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.557{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000114681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000114680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000114679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000114678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000114677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000114676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000114675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000114674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000114673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000114672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000114671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000114670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000114669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000114668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000114667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000114666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000114665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000114664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000114663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000114662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000114661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000114660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000114659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000114658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000114657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000114656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000114655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000114654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000114652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000114651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000114650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000114649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000114648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000114647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000114642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000114641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:36.542{7DAC9CB3-C6E0-63BE-0A02-00000000A702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000042644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:33.806{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50113-false10.0.1.12-8000- 23542300x800000000000000042643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:36.370{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD62EA4C7B74DC23BB602310DEB48E2,SHA256=3EA6A4760ED02652238D916EA2D4370CF546D597A279BEDAFD3FDDEA9A500C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:37.556{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C566A02A6EE24D8C7474024D87C8A16,SHA256=11A752E08EEC823181F80018A57463D51581285A5D5A407FF737E452406C67F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:37.781{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:37.781{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B786EEB697378DD02B26CE59E191E32,SHA256=AD10A979A635E25C54CA1F0AC05AEB85E287C66694A8BB27EAD1B1989CCA0C83,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:38.874{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:38.874{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EC4CEEE1B479F2C0919944E2E8893D,SHA256=96B1C011F372F4E41F50B8CCBF3C9F94124C3BAC10BEA9E4C42EFA584FAE9AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:38.750{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892CD42761AC1B044066414F91E4FB0E,SHA256=73FC5FEE6FA271DA0D8CA9768A6AFDBFF439912B81F0FFF9448BA04934C59FAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:37.010{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52111-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000042647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:39.841{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68811A0BBD19CE3277F5D831B096494,SHA256=EDFFF52B724364C60F9E0FAC9EB891A8F3A2A1E9CE42AC9F6C221AFA650ED1C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:40.064{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:40.064{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1742FDB36C4E96A86F5622211BD5B5B3,SHA256=F9BDF32D249D829D34D9910E0679420B88F9ECA5EAAE42C888EBD5F27A650761,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.387{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.355{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.342{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.335{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.332{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.324{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.292{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.285{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.278{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.257{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.239{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.216{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.194{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.170{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000114707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.146{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.144{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D206545E659A592270DAC065F5322FC,SHA256=9E42092189CC1E6B52A0A640F23008B69F6D2FA86F508E6AFEA0FE7297E4E909,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.124{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.105{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.081{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x800000000000000042650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:39.716{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50114-false10.0.1.12-8000- 23542300x800000000000000042649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:41.803{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B1A36D5E89838D6897F5AB8B29E873A6,SHA256=2C1C577CF827E94A659053D8150EB26DF8A8BF44936504E5E872193C3541ACB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:41.026{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A87976B684A9D8CE1B4428D531AFC5,SHA256=3100FBC69DF3F63B3D81168E862ADB3EBA0AC05746D97FEBF7E96FA746C3BA7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.038{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406048C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000017A1A190) 10341000x8000000000000000114701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:41.030{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405876C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 13241300x8000000000000000114741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:42.570{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\EA515421-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_EA515421-0000-0000-0000-100000000000.XML 12241200x8000000000000000114740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:42.570{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\EA515421-0000-0000-0000-100000000000 11241100x8000000000000000114739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.570{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_EA515421-0000-0000-0000-100000000000.XML.TMP2023-01-11 14:25:42.570 12241200x8000000000000000114738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:42.570{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D 13241300x8000000000000000114737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:42.570{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D\Config SourceDWORD (0x00000001) 13241300x8000000000000000114736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:42.570{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E34D479C-2C49-4090-9B4E-1002E376DD7D.XML 12241200x8000000000000000114735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:42.570{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E34D479C-2C49-4090-9B4E-1002E376DD7D 11241100x8000000000000000114734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.570{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_E34D479C-2C49-4090-9B4E-1002E376DD7D.XML.TMP2023-01-11 14:25:42.570 12241200x8000000000000000114733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:42.560{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000114732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.560{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.560{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000114730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.171{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.171{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26392911D8192D83B3B14283C4740BAD,SHA256=EC109ABF0FE21140D1A65553CC079E4E07EADFBC0B1CC8F0ABA4CEFA1A5DD1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:42.110{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E106E4F983A314C67A221451549725,SHA256=5DC04F8A6F9FB2A055BDB1AB0D324FAE5E95F6315853C35F764CBC1279D8822D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.040{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.038{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.027{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.024{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.011{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.008{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x8000000000000000114748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.049{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52112-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000114747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:43.405{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000114746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:43.405{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000114745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:43.405{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:43.405{7DAC9CB3-BE87-63BE-0B00-00000000A702}636760C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000114743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:43.358{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:43.358{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCCE0A8479461AF164745F24465143F,SHA256=1047B81BBF9C4EFA98D78DC13BA9BBB14EC2050688B0B8423DF39944DF09ED10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:43.201{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8AA90D8646E51409921F4411AD0398,SHA256=013509ADF16D1979F2DE03E25F03AB1A76AB35425477214B01FE04897D9A16AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.619{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.614{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.611{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.608{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.607{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.602{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.600{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.598{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.596{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.588{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.577{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.565{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.560{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.549{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.541{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.539{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.520{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.511{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.485{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.474{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.466{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.459{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.447{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.441{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.433{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.426{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.418{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.411{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 10341000x800000000000000042654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.407{3EE3745C-BE85-63BE-2100-00000000A802}15522908C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013439810) 23542300x800000000000000042653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:44.401{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACAB77213D1A65513AFCC36A9DB259B,SHA256=D0F532C62C3F04E1D5B0F13DE8206ACFC7F3AF0EAFEACCCC77ADE2EB1E766DFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000114788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.770{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.766{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.764{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.761{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.754{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.753{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.752{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.749{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.729{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.703{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x8000000000000000114778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:43.203{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52114-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000114777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:43.203{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52114-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000114776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.378{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local57319- 354300x8000000000000000114775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.376{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local61968- 354300x8000000000000000114774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.361{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52113-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local135epmap 354300x8000000000000000114773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:42.361{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52113-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local135epmap 10341000x8000000000000000114772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.646{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.633{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.617{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.611{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.609{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.605{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.601{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.598{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.594{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.591{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000114762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.558{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000114761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.558{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD2FA5F32AC64890FAB91CB176ACCCED,SHA256=C972E5D70C95AE91C5D2C2902079A4868AB8999695F3D1BFEF6A764DA0CA5A21,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.433{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.433{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AF160FECE6659626A48B84BAFB3F26,SHA256=8EECE653B46A2B804CABC8057B3526B94666D4C4FAC439B85DA5D3A8C4158BA6,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000114758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:44.417{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000114757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.417{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.417{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.234{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000114754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:44.234{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000114753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.234{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.234{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.076{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x8000000000000000114821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.032{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52115-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000114820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:44.032{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52115-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 23542300x800000000000000042683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:45.984{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409F56994FA2C2E2DCEA67E1CB92F10C,SHA256=1D30A9B64DFAD8E7962A4A0AFECDEDFBE833689007CE85C68A6C33CBABBDFF37,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000114819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.019{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000114812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:45.019{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:45.019{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:45.019{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000114809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.018{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.018{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.018{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.018{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.018{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.018{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.018{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000114798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000114797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000114796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:45.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000114795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:45.009{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000114794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000114793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000114792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000114791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000114790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:45.005{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000114789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:45.004{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000114825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:46.806{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:46.806{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4A62011155062CFADB5EEB9022C335,SHA256=995A13F4682EAC77AB943D99708738315C09EE97201D05B1F46595F34C32340B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:46.006{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:46.006{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF75B5B5905E538AB11716933206B32D,SHA256=35BB9267D941BBBBB9ADA8317F2EF491866B247454E721CDB283DFFFFF8BFE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:47.003{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D4602B0BA2751BE5DB7385DFE65979,SHA256=18C6E9235321D659B77024EB451F787A7FADFA45524F4F20FB1E54ABC7717FC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:45.658{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50115-false10.0.1.12-8000- 23542300x800000000000000042685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:48.079{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78825C6A1307B078E032C6E12E7900F,SHA256=F2B9EE03F5FD0784BC6D0B247B850E30F7DEE3CA92CCEE539614DB56B57D12FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:48.018{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:48.018{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15E66E67698600FAB9068C80BD869DA,SHA256=63606475624E9A1A43FEF76546A7AD31D0C1BCB9819845A14733279AAEAB61EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:49.263{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD1E6CD06686C065AEF1549E0AAC181,SHA256=E53203B2660B7CB04876770973063FAEA53A7D88BD95BDD093676E634E2448ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:48.021{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52116-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000114868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 13241300x8000000000000000114867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x8000000000000000114866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x8000000000000000114865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x8000000000000000114864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x8000000000000000114863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d925c8) 13241300x8000000000000000114862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0x99fed0af) 13241300x8000000000000000114861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d925c8) 13241300x8000000000000000114860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0x99eb8722) 12241200x8000000000000000114859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x8000000000000000114858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x8000000000000000114857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x8000000000000000114856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x8000000000000000114855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x8000000000000000114854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x8000000000000000114853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.144{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x8000000000000000114852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.128{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-CTUS-ATT 12241200x8000000000000000114851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.128{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x8000000000000000114850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.128{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x8000000000000000114849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.128{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x8000000000000000114848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.128{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-CTUS-ATT$ 12241200x8000000000000000114847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.128{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x8000000000000000114846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.128{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x8000000000000000114845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.128{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x8000000000000000114844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:49.128{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE84-63BE-0100-00000000A702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97e62|C:\Windows\system32\kerberos.DLL+79f68|C:\Windows\system32\kerberos.DLL+1451f|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000114843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.128{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x8000000000000000114842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.128{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 11241100x8000000000000000114841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:49.111{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:49.111{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA6E93965D0CFE0B9481FD14D82B59B,SHA256=A4E955F0577AAD547F133FBE0528B186C4913CA1D3C6381EA0B38306FF18EA89,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000114839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.017{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000114838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:49.017{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000114837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x8000000000000000114835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-east-2.compute.internal 13241300x8000000000000000114834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:25:49.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-ctus-attack-range-661.attackrange.local 12241200x8000000000000000114833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x8000000000000000114832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x8000000000000000114831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.017{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000114830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:49.017{7DAC9CB3-BE87-63BE-0B00-00000000A702}6362296C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77c5c|C:\Windows\system32\lsasrv.dll+e7984|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000114829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x8000000000000000114828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:25:49.017{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 23542300x800000000000000042688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:50.361{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3923294781A4655446033DAD5E6432ED,SHA256=DC64C4883ACD96600CD1DC991EA0E0D42BAB1C9EFF72F7FF73AA37DC9B185DCB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:50.408{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000114880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:50.408{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=401B875C04CE2436F0A3723944D58FD1,SHA256=CA3F01BD5FA6876A3F6E5053330475D4DE9362A6148CBF5A0EDB0A067AEF9F0B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:50.393{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:50.393{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D980E9422030E14DAF414A25DFBC59,SHA256=BBCBFCD950A838C57D51DF26C0573BB2D9CAB8BDC6F8C86CA8059882EB3616B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:48.929{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52119-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local445microsoft-ds 354300x8000000000000000114876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:48.929{7DAC9CB3-BE84-63BE-0100-00000000A702}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52119-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local445microsoft-ds 11241100x8000000000000000114875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:50.085{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000114874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:50.085{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A38483CF2C25B7DCAF4E1FB4B76060A,SHA256=764BCD3BE0BE9663E531590113648FA495079C955EE23DEE971BF8674CC51486,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:48.830{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52118-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000114872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:48.830{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52118-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000114871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:48.821{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52117-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000114870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:48.821{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local52117-truefe80:0:0:0:3da8:cbc4:1eb3:9ac6win-dc-ctus-attack-range-661.attackrange.local389ldap 23542300x800000000000000042689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:51.539{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3703509D4EC212FBBC73B7C5694FA8BC,SHA256=EA5D32D363F352198702AB3B0F07D9773A13A781C643C11827363A673E9D4267,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:51.392{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:51.391{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A59769D6726293732DD0F6A79233FD,SHA256=4665E6F47434E335A45BDEB8B7536280246016792EAFD28F179753B65F055B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:52.717{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86A51B1608E20F79B28C208B0F95E43,SHA256=C99A089BD04D58106F758E9369DF70E13EAA40CEA6AC6CB42B4D0D07F5AE86F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:50.832{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50116-false10.0.1.12-8000- 11241100x8000000000000000114885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:52.481{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:52.481{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EBA8540BB0E54E627EBFFD63C980DC,SHA256=E7008192C18263316EBA21BA0ADFD079EEAEB7BA69D396E092C39F664D94A12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:52.365{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\respondent-20230111135000-034MD5=CA0432AED8832FEC4A268ECD95555CC4,SHA256=F2EC2AB8CCFA0BEF84779FAA8BB551C0FFBD1784CE3F0961E9269E14E4DD7D03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:53.764{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:53.764{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA45EDF6DFF6C5759988A251F9222E69,SHA256=86EA4FCAA70D157BD7E86094BE8C0A3098CBE0245E37897F324A3A7F130F8EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:53.793{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062EA685DA5082EC796B0D09920EBDFE,SHA256=87CD27587B37580430DFCE3614A76F1FD3555DD600A648EDE43BA4EAB526F380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:53.365{3EE3745C-BE85-63BE-1C00-00000000A802}1912NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f44e9589f6b45284\channels\health\surveyor-20230111134958-035MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:54.887{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642B26968AA2467B5B9B52AFA784E125,SHA256=F0D9BC7BAFA2EF218A4F158369028099498A140BDBEB7A9D7271843BE68CC67B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:55.984{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C06D873DB88D6A95B5863320148182,SHA256=ABEBB6A00C6B0022FBC6F55DFC1A22BE63224B217A16745A66A07699E60DB0F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:53.890{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52120-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000114889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:55.069{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:55.069{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFCBF3C94545513AFB7217BF0AAD083,SHA256=345B4AA45CE8CDE30B22FFA43CF1A5C5ECAECE664A3F600A8EE1AB252277D61F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:56.165{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:56.165{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C579B6651810343E57DBD64D21FB10CF,SHA256=6498308A07111F1200EC96BF9666090AB6A1E81AB8E7B7E7BECE99550F5094E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:57.668{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:25:57.668 11241100x8000000000000000114894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:57.240{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:57.240{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA08336A27192DBC534EE44F166D16DF,SHA256=D2895B5D0DB17F84B0304BF9FDC477FA0FBBD77C18A583065E1FE29251D7F596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:57.304{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6153DA1017B5B1A6C6606F23AB9AA6,SHA256=08D081D17C76F7694AC299FB3DE83C5A2BAADB49DACB1FD57EF97F04A5B14CA8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:58.351{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:58.351{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FDA7F5929F205CD12F6DB3F316AE03,SHA256=705F908B3B13872120244BF706691CD9AAD38E13900D3F64F192D18E263FF054,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:56.643{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50117-false10.0.1.12-8000- 23542300x800000000000000042699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:58.503{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7607B5F03519D52E7678EE47D4CCB239,SHA256=98087A4A6470CBDA4B0794E35E9A77519B6F1DCC821852EFE9ADAC8CB4944BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:58.081{3EE3745C-BE85-63BE-1100-00000000A802}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=82EE03304AE40AE5C88C807F526CA343,SHA256=8EC3C34C3D77F0B94B97F2C3C17AD72847A570674CED7C9F47688A3C69D5E7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:25:59.686{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99EE0C74618B0AA5C9783AE3CF21F01,SHA256=8A8996378DAD16FC9995EA2BF05A1CAD7E446DD383FD2CCD0BEF35DA070456E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:59.437{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:59.437{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB75F146DE2A7C1E576F7B309F96C691,SHA256=7D90B3DBA93802D1F9CC0574B3B4BB508DE3269953181B6F38DB7FEE1B9F7646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:00.888{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F085E9EEF8CCDCD0FBA7A1D4A391D758,SHA256=1F93522749EE782E47F0929C593DAC065596267B26F5208CC6420BAB90537FB4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:00.950{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000114902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:00.950{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63A3FE125CE48D20F31DAFE1701491C6,SHA256=88CB9D50EB10B5DF596ED733884AB4B3F0BF3C23FFB68D7F4905A0556D7DA198,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:00.513{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:00.513{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6677166D4863E294D5F0BCEF5613184,SHA256=326E780A36F13E74A7F711518B639F74CD3D1858801EDFE43F249EE98D4F840F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:01.979{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAF774957B16A52B13FF2EAFFED39D8,SHA256=C6FAB4232F0D0B8F73285DBFD5FA33C73798E90238D6546A58023C8553A25681,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000114988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.668{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000114987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.668{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1417A2517FC2FE1634347CBB1DA2291,SHA256=4C90563320A11EDEEBC7485059BC80ABA87B99D42767FDA85B24F8CBF0F5A971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000114986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.484{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BC701021E4453CB311E1B64510CD19F3,SHA256=1FCFDEF1617A2A9500A2D9AD5794A901829564D6AF99D6E0A3BF6BF485220485,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000114985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.426{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.423{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.421{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.420{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.417{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.416{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.415{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.414{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.413{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.412{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.411{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.409{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.409{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.408{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.407{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.406{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.405{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.404{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.400{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.396{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.392{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.386{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.386{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.385{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.384{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.383{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.382{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.381{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.380{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.375{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.374{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.372{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.370{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.369{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.367{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.365{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.364{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.363{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.362{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.360{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.358{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.356{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.353{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.348{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.347{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.346{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.345{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.343{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.342{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.341{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.339{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000114934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:01.337{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x8000000000000000114933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.325{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.312{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.300{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.295{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.289{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.285{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.235{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.229{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.221{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.199{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.186{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.176{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.167{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 13241300x8000000000000000114920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:26:01.151{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d925c8-0xa126fefd) 10341000x8000000000000000114919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.149{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.133{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.123{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.110{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.073{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.069{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.069{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.069{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.069{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0A00-00000000A702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.065{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.065{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000114905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.017{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.015{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000115035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.923{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.923{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF7A9A1749857647FEDFADE6624A502,SHA256=CAACD933A012FDBFD7BFB96FF0CBE0CA725966E7534B0D35FE41F11C28BBFC6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000115033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.203{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52011- 354300x8000000000000000115032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.202{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local49598- 354300x8000000000000000115031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.200{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local57563- 354300x8000000000000000115030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.191{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local64642- 354300x8000000000000000115029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.185{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local49655- 354300x8000000000000000115028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.184{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local56618- 354300x8000000000000000115027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.183{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53712- 354300x8000000000000000115026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.182{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52579- 354300x8000000000000000115025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.181{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local59465- 354300x8000000000000000115024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.178{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52062- 354300x8000000000000000115023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.172{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53209- 354300x8000000000000000115022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.171{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local49557- 354300x8000000000000000115021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.167{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53676- 354300x8000000000000000115020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.164{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local60392- 354300x8000000000000000115019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.162{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local56634- 354300x8000000000000000115018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.161{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local64945- 354300x8000000000000000115017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.160{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local56769- 354300x8000000000000000115016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.159{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local62554- 354300x8000000000000000115015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.158{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local49354- 354300x8000000000000000115014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.157{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local57255- 354300x8000000000000000115013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.156{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local57490- 354300x8000000000000000115012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.155{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52236- 354300x8000000000000000115011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.151{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local51830- 354300x8000000000000000115010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.145{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53624- 354300x8000000000000000115009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.143{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local65348- 354300x8000000000000000115008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.142{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local56618- 354300x8000000000000000115007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.140{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local60202- 354300x8000000000000000115006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.137{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local61045- 354300x8000000000000000115005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.137{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local61045-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domain 354300x8000000000000000115004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.136{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local51830- 354300x8000000000000000115003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.136{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local51830-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domain 354300x8000000000000000115002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.128{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52123-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local49666- 354300x8000000000000000115001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.128{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52123-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local49666- 11241100x8000000000000000115000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.174{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2023-01-11 13:50:01.763 23542300x8000000000000000114999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.174{7DAC9CB3-BE89-63BE-1100-00000000A702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D7F446E96ECD91780BE553F2D615EF60,SHA256=A6BEFCF8910406BCC5D895F359E102B46FD11095C413A07178C9996832E0C1D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000114998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:00.295{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52122-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local135epmap 354300x8000000000000000114997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:00.295{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52122-false10.0.1.14win-dc-ctus-attack-range-661.attackrange.local135epmap 354300x8000000000000000114996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:25:59.830{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52121-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000114995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.154{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.153{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.148{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.146{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.141{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.138{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000114989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:02.135{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000042704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:03.269{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D03A6ABC13ABF9BE82DCB51D0D3F71,SHA256=AF5B9AA2DE09F405F6976304E95E8DAA465E2D4232592071B6F61D2F09577CFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000115045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.219{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local63636- 354300x8000000000000000115044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.218{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local61957- 354300x8000000000000000115043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.215{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53571- 354300x8000000000000000115042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.213{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local56914- 354300x8000000000000000115041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.213{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local51931- 354300x8000000000000000115040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.211{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local57893- 354300x8000000000000000115039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.210{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local63402- 354300x8000000000000000115038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.208{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local62957- 354300x8000000000000000115037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.207{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local63435- 354300x8000000000000000115036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.206{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local59857- 10341000x8000000000000000115072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.845{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.844{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.843{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.840{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.833{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.829{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.829{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.827{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.806{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.786{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.750{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.742{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.729{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.724{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.722{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.718{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.712{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.710{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.709{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.706{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x8000000000000000115052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.224{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local57727- 354300x8000000000000000115051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:01.222{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local62421- 10341000x8000000000000000115050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.198{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.197{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x8000000000000000115048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.194{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406092C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 11241100x8000000000000000115047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.083{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:04.083{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2CD7623CD0ADAA335B9D0EE5BF48AC2,SHA256=374875D7145EEF8F1913F83785E0E7D5EC496819487E23C128A821397482127B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:02.640{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50118-false10.0.1.12-8000- 10341000x800000000000000042734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.737{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.732{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.728{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.724{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.721{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.713{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.713{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.712{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.705{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.698{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.680{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.672{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.665{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.650{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.639{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.634{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.614{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.590{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.527{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.516{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.502{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.477{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.457{3EE3745C-BE85-63BE-2100-00000000A802}15524044C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B26C190) 10341000x800000000000000042711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.446{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.431{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.430{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.422{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.422{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.422{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 23542300x800000000000000042705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:04.350{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85D79E011370C5AF6A02EA36738441C,SHA256=973483BBA5A9A25960DF4F50740E74A30808588CA29580DC55A2F3C7EACBC03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:05.423{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759948077A2DC10787991B8329EB3152,SHA256=8B6C8CA4A7A26C119C498F1F48BBD0442C87C2B9BDA2637ED750FFC162089C94,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:05.162{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:05.162{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEADD64C6E307001CE550EECCCD4FA4,SHA256=A317AB700ABE5636B0DCB6E0CCCFF05A9F3172A6F41E795B397A7F4CDB524F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:06.499{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102C9E7ABC21FE006DEBFA87206C1D96,SHA256=B062376020FCE056891204C13AE9F4CBC2A976301CDEC3BDEBBC2EE1F58F8684,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:06.240{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:06.240{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2647FF962DA71094009BD6BD9FA972,SHA256=B35F627D9E2D8DAF7F56A04C56BFBC2B50EBE7A1813DA00BFCD582424E61F558,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:07.339{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:07.339{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694060EBB4EA8E24C22611CFE5D9DA15,SHA256=79F371E14F70D1B566464C7EC46BFFD3A988140E2A47A945DA9CDD5ED186959A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:07.835{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:07.835{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:07.835{3EE3745C-BE84-63BE-0B00-00000000A802}632672C:\Windows\system32\lsass.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:07.820{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-2100-00000000A802}1552C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:07.578{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12065D1D04D918E50E0ACA14044026D2,SHA256=C4F1E99EDB68D35E57775B986093C91018710C75BEABF845F5FFF7BF0C38893A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000115077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:05.038{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52124-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000115081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:08.641{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:08.641{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6450D9A4047BAECD5EF0875C67DF2CDE,SHA256=E98195889B533F9929A9E09774A6B8139A9A10AFFA621D8F6CF9C2BC7ADBBD0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:08.822{3EE3745C-BE84-63BE-0D00-00000000A802}7883900C:\Windows\system32\svchost.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:08.649{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EB2CBEAA0C5272D2CC8A9FDAF96823,SHA256=07B28D7E123816B8FCCFDB3C810DDCEA9491E013836FA00F33515EA6517B0924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000115086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:09.858{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\respondent-20230111135017-034MD5=07F426DA1BACB3E11353998655DE41A4,SHA256=9692EE6582095E917EA0BD91D619685FE73AB8816512AD24B6859CB275BF64B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:09.857{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\respondent-20230111135017-0342023-01-11 14:26:09.857 11241100x8000000000000000115084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:09.855{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\tmp\surveyor-20230111135015-0352023-01-11 14:26:09.855 11241100x8000000000000000115083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:09.730{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:09.730{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2545062B4F06A72C21918DA22A210A8C,SHA256=426BB792E84CB376F4871301E2E792F37165D374A838B4A4023DEE5B40FF9657,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:07.804{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50119-false10.0.1.12-8000- 23542300x800000000000000042746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:09.742{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D1FF630DDB1DFEAB76354E8ECB16C2,SHA256=38556FC6FDFF78DEBD994E3B75BFE25051F063CB31ABE3D40153D8EE9869B603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:09.621{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:10.914{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:10.914{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25966769187DE509DC9A0CC94E8BD775,SHA256=DA123027FEDBA69395BDFC5B6054C88EAC7CEACD6BB4C574E41C9DEF39B21CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000115087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:10.862{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-064c2d00a906a8ab4\channels\health\surveyor-20230111135015-035MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.917{3EE3745C-C703-63BE-9801-00000000A802}3904344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C703-63BE-9801-00000000A802}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75C38E1CA167FDA4E16A74A9179E5692,SHA256=3AB421344E81B8E615925CDD20CBAAFEED8FB27A73F3E32E4A5518D8BCCC245C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C703-63BE-9801-00000000A802}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.683{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C703-63BE-9801-00000000A802}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.684{3EE3745C-C703-63BE-9801-00000000A802}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:11.039{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF930DEBB2B397D43BA9ACDCEA51D4E,SHA256=DDBC93DE9451C5836F0A45B53576E89F9569440AB71AB0E5D2141060485C9353,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:09.195{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50120-false10.0.1.12-8089- 10341000x800000000000000042760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C702-63BE-9701-00000000A802}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C702-63BE-9701-00000000A802}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.997{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C702-63BE-9701-00000000A802}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:10.998{3EE3745C-C702-63BE-9701-00000000A802}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000115091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:12.000{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:12.000{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CA3543F408CEA222BBC6CDB34A9E96,SHA256=4A689590F5715A67F4A73D17345CAEC320B063CA7E252783FD13832FAAE12128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C704-63BE-9901-00000000A802}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C704-63BE-9901-00000000A802}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C704-63BE-9901-00000000A802}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.198{3EE3745C-C704-63BE-9901-00000000A802}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C74E0803F01A62A6E8226EDA508756,SHA256=E2DCE8FA71E4E69BCB5749E9B93A1DC38D0F387A9B47B89CFFC8AD3343C5AE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.195{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2758F432C45D90BFE69A4C9686CA9263,SHA256=B7A5AE68F406156FCE55CC2BEBEB151588A9428ACBFDCC04D1FCAB6889A31B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:12.023{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7B7DD12369DEB3C937B7C65EF51E651B,SHA256=04A8C85853B109177BB26F16D7E97E61AB32301541A227383AC675F8FC367D5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000115094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:10.939{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52125-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000115093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:13.066{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:13.066{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F08BDC55D2E1164F8752029D5ED7EEF,SHA256=AD57E52441C22F99CED2D7719C1E1D8523FD3FCEADADF3CEC810526DDA4441FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE84-63BE-0500-00000000A802}4161048C:\Windows\system32\csrss.exe{3EE3745C-C705-63BE-9A01-00000000A802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C705-63BE-9A01-00000000A802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.995{3EE3745C-C705-63BE-9A01-00000000A802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.113{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466718FE276AF29118E0B5ABFA9E5BA2,SHA256=12F7AF3E9CB6C0B563F86EC6903EED1F3B8AC15D2170E51B9112802B422B5BAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:14.139{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:14.139{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05030C16495388E6D0F97F02442F9E71,SHA256=1B4309691CBCE57FE289BBEC8320C189D1F4143006007E21E77B9AFF793E8C9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.853{3EE3745C-C706-63BE-9B01-00000000A802}10643796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.666{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C706-63BE-9B01-00000000A802}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.664{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.663{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.663{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.663{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.663{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.663{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.663{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C706-63BE-9B01-00000000A802}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.663{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C706-63BE-9B01-00000000A802}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.663{3EE3745C-C706-63BE-9B01-00000000A802}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.184{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC7E4A319A0D34F189962415BBC17E1,SHA256=05B0959A76ADF01DE27FCC345BF53FAC509C98A021F5AE17AE5AEAD8E500717E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:14.168{3EE3745C-C705-63BE-9A01-00000000A802}36243600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.994{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C705-63BE-9A01-00000000A802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.532{3EE3745C-C707-63BE-9C01-00000000A802}9602016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.516{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8BAB6EFE75C546B1B79000A1D0CBB5,SHA256=1869969F7078F3D6C2B46FB8231B7D590C662227107915B38FC21A71BA4A0D6A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:15.213{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:15.213{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55888525D10279AA06C19CED8EDF77A,SHA256=BAEDE08F766AC2B6685D1545E438408EBB22409EB68C65419571A537F5D78FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C707-63BE-9C01-00000000A802}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE84-63BE-0500-00000000A802}416532C:\Windows\system32\csrss.exe{3EE3745C-C707-63BE-9C01-00000000A802}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C707-63BE-9C01-00000000A802}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:15.329{3EE3745C-C707-63BE-9C01-00000000A802}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.672{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4493FBEC9782F0EAE41B7A200849676A,SHA256=423C65555C950B156422A5E4AD8E004B1FF7BC7CD9AA4333CC2114FEA47B4476,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:16.303{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:16.303{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645F659E6ECE857EB827F2CF38EEF6EE,SHA256=4754C63968E2916538598A32CDEEAB02E369C33719B3834B9CC41705051B3672,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:16.240{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2023-01-10 09:33:07.314 23542300x8000000000000000115099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:16.240{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C93D7F75CF3EFE18E7D134A5CEA61516,SHA256=70FE07D72A3EF2FCE611BC1F6F4778C9F5355F1199CA3117AD367B16B1D679D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE87-63BE-2E00-00000000A802}29562976C:\Windows\system32\conhost.exe{3EE3745C-C708-63BE-9D01-00000000A802}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE84-63BE-0C00-00000000A802}7283988C:\Windows\system32\svchost.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE84-63BE-0500-00000000A802}416432C:\Windows\system32\csrss.exe{3EE3745C-C708-63BE-9D01-00000000A802}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.469{3EE3745C-BE85-63BE-2200-00000000A802}16203204C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3EE3745C-C708-63BE-9D01-00000000A802}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:16.470{3EE3745C-C708-63BE-9D01-00000000A802}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3EE3745C-BE84-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000042839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:13.686{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50121-false10.0.1.12-8000- 23542300x800000000000000042855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:17.780{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DBAE647150E9D47116AE675885B5AA,SHA256=8F93CC499A631F878CAE336200BBEB43981329C68D1161B4131DED94185B7676,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:17.276{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:17.276{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB47888C54A79FA4139D9D8BA95ADD8,SHA256=A5CF830915A54F00DDA9A33A58B31D05141398BE38FC231DAEFD216C9D88B7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:17.573{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAC459CEC2DBE4A37CCEA16BC9518C16,SHA256=527E014F8637813AC78B410B42FC1F8A2E5BF3CF564E027BFC50F04584C346A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:18.850{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B30CB847D5318FBCB6E8F3852C492D,SHA256=637F00B0C88599B1BF535D3B43A6E1F919186EAAD5004AF4AB347B71E9B12FEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000115107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:16.023{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52126-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000115106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:18.353{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:18.353{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3DA02EA626C05F6C5811E7B9ABD7F9,SHA256=83E4E1F7E1BA71C41D4C6145A76D1E7FA0833ECE1663F3E0A153ABB711FF52F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:19.941{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F8F6825BFB0472D5552EC0EB1C3FA3,SHA256=0D1DD5C5EE72EED5684D6236324C22DCC6B88279B721837D0751C5A670FB9B9C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:19.441{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:19.441{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38702AD86B15CAD52E1F2BC9C9DD32FE,SHA256=63E8570B29ECF8F9307C26DB67BA38E76DF1F8E38CB3FA458880442EC4F3FCB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000115108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:16.939{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52127-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000115112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:20.522{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:20.522{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA90B346D6BBB8744FF7693D089B623D,SHA256=BDA01DD6AD08C93CB0343F511866DCFC2940DAFBEAAA6340F35F9A10E7DF6178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000115140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.946{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.945{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.939{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.937{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.930{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.928{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.923{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 11241100x8000000000000000115133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.587{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.587{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABFAA4BFC35B147A2424FAA81402DA9,SHA256=3FD35F0F8C423013AE1EAB940E6148059A59A758D7FC537B29776E1253B9AAA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:18.828{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50122-false10.0.1.12-8000- 23542300x800000000000000042858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:21.026{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D79E0339C2BABD9F955D645BC62EF7A,SHA256=D1F78077D8C3F75FBAF7ED0AA497DDE216137C54DD5004A06C71B374161F4E53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000115131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.320{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.282{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.263{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.254{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.248{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.244{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.200{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.188{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.180{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.159{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.136{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.123{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.113{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.101{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.087{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.071{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.064{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.016{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:21.010{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 11241100x8000000000000000115142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:22.746{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:22.746{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DA6DCCC12130F53CCAC2F4331CE870,SHA256=09ADDD1FCD7527CF2CFCB4BC53A8745E9AA87DBACBFEBFDAB0181EE1F33F760A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:22.108{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CE3CAA84AF28B6D240081B5D618230,SHA256=EE9C0277FFFA306CFB1F75506BB42825D29636079D1957FC56C7913DAAE3B53A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000115147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:23.995{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:23.994{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:23.991{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 11241100x8000000000000000115144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:23.821{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:23.820{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60AC973A8770210D2237F666387AB98,SHA256=63E4864F0A154A9437B8F9F3A79B37E7BD95862FE9630FADBFF770B662DF7BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:23.195{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7FD944175DE792DAB26F744239D91D,SHA256=2978074C44713304FE138F1562760C06633B22F8C7C5C88DE32BF4FF98E3956D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.893{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.893{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24ACB4BF561D588D5ADB6E53CFD3F99F,SHA256=2344934CF7B5AD37BE03ADEFA826BA0A6AB81AC338E38742A0FCD4BDE8F5C7B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.625{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.622{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.619{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.615{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.614{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.610{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.609{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.608{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.606{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.599{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.589{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.585{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.580{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.574{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.558{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.555{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.534{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.524{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.493{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.478{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.472{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.459{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.451{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.446{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.437{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.427{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.419{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.409{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 10341000x800000000000000042863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.406{3EE3745C-BE85-63BE-2100-00000000A802}15522924C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013A1A190) 23542300x800000000000000042862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.381{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D88CB7DDE59A7D7749E8CCF77FBC0F,SHA256=A87715AB1B01E7F7A27D68237B8171D3B5DC308D3915667A106C8478278099FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000115168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.715{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.712{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.709{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.703{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.698{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.696{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.696{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.692{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.661{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.638{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.569{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.550{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.532{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.523{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.520{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.515{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.509{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.505{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.504{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 10341000x8000000000000000115149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:24.501{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405984C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580610) 354300x8000000000000000115148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:22.019{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52128-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000115172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:25.990{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:25.990{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77313443EB9213C84594438927711C48,SHA256=3D4E6F5A9DAB9197A54E3E5E84B8E2B9272D7535A7CA7C7F0AF3FDC73A67690D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:25.617{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833ADB2D0CF44E1D0989F2DBA870D2DF,SHA256=282AA3040914AE30180CE50C0FFF54BE62CDA3BF837B19DC49E6747EFF8BCE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:26.756{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B2E4F80BC710BFC54B50D917B876D5,SHA256=90CCD33E95C32D751C1B9D79B82FB60EC1492FD7DB659DC941C7830D28283BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:27.826{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E56E7C2F4CC822D93EBC2203EB659C,SHA256=0F7BC82DC45E9EE6646B5EC9B438122D939C1039A7E67354CEE4F24BC198A089,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:27.673{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2023-01-11 14:26:27.673 11241100x8000000000000000115174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:27.072{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:27.072{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2812387336CC542B71AAEFC7FDAA185,SHA256=ADF55B8901B62E2D4299C67DFF40920652D3104CE9D8293CB0D25CB6655C2CE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:24.831{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50123-false10.0.1.12-8000- 23542300x800000000000000042896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:28.914{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B60D9C07C04D2FFE2589A02CB228B6,SHA256=C75142F22D32CD19CE6E918970C9FB7B6A07B155042C5A7A1763007D33FA5438,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:28.150{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:28.150{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45FB3652D6173C77614AFE90D5F2767,SHA256=4DB5768B40B4AD2538DE6D05F5EB21F0CF4243589CFEF37BB808E6EE4FF74BB8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.645{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.645{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7C19A835CF04C12090008369B237D8,SHA256=15CDDE2B6B2687B97699A25A62C3970FD13E9C4993BD30F80A157414F2A240C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000115232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:27.940{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52129-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000115231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.270{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000115230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.254{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.254{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000115228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000115227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000115226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.085{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 734700x8000000000000000115225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.072{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.071{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.071{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.070{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000115221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.068{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.068{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000115219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.067{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.067{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000115217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000115208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000115204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000115199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000115194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000115191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000115189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000115187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000115186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000115184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000115179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.042{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000115178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.043{7DAC9CB3-C715-63BE-0B02-00000000A702}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000115292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.983{7DAC9CB3-C716-63BE-0C02-00000000A702}67485856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.983{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.983{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000115289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.780{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.780{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.780{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.780{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000115285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.780{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.780{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000115283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.780{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.780{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000115281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.780{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000115280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000115275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000115268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000115265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000115260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000115253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000115251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000115250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000115249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000115246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-BE86-63BE-0500-00000000A702}420536C:\Windows\system32\csrss.exe{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000115243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.764{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000115242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.765{7DAC9CB3-C716-63BE-0C02-00000000A702}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000115241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.749{7DAC9CB3-BE97-63BE-2800-00000000A702}2656NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=406A0209D4723C64CF73C80D2BA08855,SHA256=1CEF023F5E3247333214AD7F1C5B0E05514A0385D6F706A8527B48FBB8493023,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.358{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.358{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB3F978B3B23CF30F991C4713E32C3B,SHA256=01B53B1F17B3C2464437FF4D3C83E2B2BD51034E12D5EB9E01E4F3FDE86BD84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:30.001{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81ACE0AFFC0EF1A363A8205D2C68085A,SHA256=0439874B7B4F254550423549E6315A3C1664C521563C4C83777078D9F8F4CA99,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.111{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000115237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:30.111{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B5C5424330F3D0C8746FD208B29AA7C,SHA256=562E4D2583BB52C54999D85A94DA7F15168752D73198EA4E30063E9F038B3409,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000115236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:30.094{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x8000000000000000115235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:30.094{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x8000000000000000115351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.694{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000115350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.678{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.678{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000115348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.892{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52130-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 354300x8000000000000000115347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:29.892{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local52130-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-661.attackrange.local389ldap 11241100x8000000000000000115346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.538{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.538{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC354D3D524D227C0EE84F4DF497A052,SHA256=3160A47BA909915332E03B7F39B6B64BD71CE7FA964CCA7D5E11228D60DA12B8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000115344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.444{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.444{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.444{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.444{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000115340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.444{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.444{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000115338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.444{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.444{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000115336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000115335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000115326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000115317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000115314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000115312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000115311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000115310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000115309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000115307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000115306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000115304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000115302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000115301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000115299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000115294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.428{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000115293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:31.429{7DAC9CB3-C717-63BE-0D02-00000000A702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:31.097{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F29E132AE596BEA577C2CDE824D58E9,SHA256=DAB8896F89E7AE117F24727977E0EA11EA2B62EF9102B1671B9D28EB144CC5E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:32.655{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:32.655{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731E94EBA1FD370C10FBE7CE6D6A61D,SHA256=3D0E5B77422210619D4A2B16B42345303D3FF4AAA783E692798F00794FE8FC4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:30.608{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50124-false10.0.1.12-8000- 23542300x800000000000000042899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:32.189{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86E478A6E54F639A2D121B95AF770BD,SHA256=ECBF34001A30530E49B33788CC7FE1A82C44CA9247D7494B4FBDC5A9BEA51686,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:32.285{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2023-01-10 09:30:10.975 23542300x8000000000000000115352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:32.285{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A374C0B330563776BF6D46EF4FF23B61,SHA256=120CE818421A48B0548CEAA1C56DA256CAD129D26E358D583F9D073BEF97F08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:33.259{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF5A4EC2826C006F855A6BFE2319C7C,SHA256=D3D08D5AF0BEDE4B9E67B52B031F2EEA67B15118C47135CADB7AB3D99551E461,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000115406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.500{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000115405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.500{7DAC9CB3-C719-63BE-0E02-00000000A702}45085024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.500{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.500{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000115402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.313{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.313{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.313{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000115398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000115396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000115394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.297{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000115382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000115380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000115378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000115370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000115367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000115365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000115364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000115362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-BE86-63BE-0500-00000000A702}420436C:\Windows\system32\csrss.exe{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000115357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000115356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.288{7DAC9CB3-C719-63BE-0E02-00000000A702}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:34.343{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651555C664A32908993EE1479B15D149,SHA256=C1AC482CAF4376FA0F355414C6BC06B2F49941FCAD09BE456D3A03582CA4A270,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.950{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.950{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C3DC081D7A1EDDC0E354EBE97FC5D1,SHA256=511F9F51678ECCC185CE116262086B14FFE24F664C1E038231D171B99599F474,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000115513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.869{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.869{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.869{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.869{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000115509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.869{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.869{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000115507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.869{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.869{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000115505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000115492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000115491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000115486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000115481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000115480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000115478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000115476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000115475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000115473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000115468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000115467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.854{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000115466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.448{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000115465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.448{7DAC9CB3-C71A-63BE-0F02-00000000A702}42324064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.432{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.432{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000115462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.345{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000115461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.345{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000115460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.344{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000115459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.344{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000115458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.343{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000115457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.343{7DAC9CB3-BF9C-63BE-B700-00000000A702}58406020C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 11241100x8000000000000000115456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.286{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.286{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E835B1E635FD316D76BECCE1755D7C,SHA256=BA4633C8EE20179E59CEA00AABF9AB686442A06409918BA4EDDE500AD460E32C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000115454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.199{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.199{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.199{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.199{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000115450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.199{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.199{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000115448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.199{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.199{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x8000000000000000115446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000115434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000115431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000115430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000115424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000115422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x8000000000000000115418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000115416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000115415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000115414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000115412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-BE86-63BE-0500-00000000A702}4203040C:\Windows\system32\csrss.exe{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000115408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.183{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000115407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:34.184{7DAC9CB3-C71A-63BE-0F02-00000000A702}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:35.537{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB44B091CBDFF66765486B3926534EF,SHA256=0C9EE01A3333A6A6450D2BD468CF48C0B71F2F9B0AA3F39A0495053E35355BA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000115522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:33.830{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52131-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000115521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:35.339{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:35.339{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04DF838DAA83AFBCFA1D8CC819D6FB9,SHA256=9B6345D59AE65043FA057D2BFE7686E8216E2C6C65A4705705BA549C00AE17A4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000115519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:35.069{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000115518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:35.069{7DAC9CB3-C71A-63BE-1002-00000000A702}43047032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:35.069{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:35.069{7DAC9CB3-C71A-63BE-1002-00000000A702}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000115577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.627{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000115576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.627{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000115575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.627{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000115574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.443{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000115573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.443{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000115572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.443{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000115571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.443{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000115570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.443{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000115569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.443{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000115568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.443{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 11241100x8000000000000000115567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.443{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.443{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F687E29E5DFE1EDA968C6A564D1278,SHA256=1BFF9FF1C5360394C3F54D19DFD0A6F4F51B531828C3608AA6D5E672F5695D06,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000115565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000115564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000115563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000115562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000115561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000115560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000115559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5582 (rs1_release.221130-1719)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=8D82B2062AE1D60CD08C0EA166563A0E,SHA256=1B3729118FA8F9A652968B00B18223FFAED26F1E86E579B18A21C31EC3DE4D8A,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x8000000000000000115558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000115557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000115556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000115555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000115554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000115553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000115552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5582 (rs1_release.221130-1719)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=FAF564ECD596B79546E35001D6199B72,SHA256=9ECB24E3D3F1FBF990DE6EFAB5EFB0617415905A4316F3C2269DC5503FDAEC3E,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000115551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000115550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000115549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000115548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000115547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000115546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.427{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000115545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000115544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000115543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000115542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000115541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x8000000000000000115540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5582 (rs1_release.221130-1719)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=5ED94A02EBF8A9EA597DD1896C2058AF,SHA256=00B823F75600CD2FA15FF545ABAA581F244A185E580BC76C7C937159765A82A8,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000115539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000115538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000115536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-BE98-63BE-3600-00000000A702}31163136C:\Windows\system32\conhost.exe{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000115535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=D539D469F2D9528094498E68F7A75DDE,SHA256=F7764E62BF86CD678521B8DA0853284D79EC4CA8B208212E49307989CA462D1A,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x8000000000000000115534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5582 (rs1_release.221130-1719)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6EB968F29ACAC368D1A9F36A5581E89B,SHA256=78BAE4ABDACA6E892420DB1FD76CFFECDF6022389022B53608619249D0FCA3DE,IMPHASH=B6654FD7E37D5651FBE01C62205D1233trueMicrosoft WindowsValid 734700x8000000000000000115533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000115532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000115531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-BE86-63BE-0500-00000000A702}4205144C:\Windows\system32\csrss.exe{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000115526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.412{7DAC9CB3-BE97-63BE-2800-00000000A702}26563220C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000115525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.413{7DAC9CB3-C71C-63BE-1102-00000000A702}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7DAC9CB3-BE87-63BE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:36.615{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404CD93F4CD40DE90CCB357EB20F915B,SHA256=EF7A5A07F375FE6288EC35E7928678F008475C9E8EF86F2A3696E55370A0222D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.079{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2023-01-10 09:30:40.840 23542300x8000000000000000115523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:36.079{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FA6CE4CB650BBBDB05F675F92E8EBD9,SHA256=65F1D7D555D03F0EE659A1CDF4378B7C545744C409C7463C0CDF58CC62BE05A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:37.690{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943F3E77259980F17F439391C3B01F4F,SHA256=A5D8E07B2264E28D45EF2F023518B98538FD2EC2CD52E9889C70C3DD0838FE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:38.896{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BBACF1C968679F20CF216A9DBDA86F,SHA256=6527E93243D3CBF36180845D8C510440066DFF87A2D23AEDA62372D556F64881,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:38.053{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:38.053{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A068A1AF66AADC2C63EE88949C4E4B0,SHA256=C355ABF9DA8C267D2BD5F6E0B65B22C2405C8035EA9870BDDD6E8E451B7CF58D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:35.683{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50125-false10.0.1.12-8000- 11241100x8000000000000000115581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:39.141{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:39.141{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D931E61FDA80EB04B87F9A3D67BF80,SHA256=2C73E42E2195508457546217E43D15B46968AC6EFF1B21898977943CB5FBB371,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000115583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:40.436{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:40.436{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F4B14C2015406B2DF8B3B11C580C6C,SHA256=DED8574FDDAC5F06A379B5F98DE93ABB9194989596CD97EEE7622E8C1AFF7C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:40.087{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1F0CFFA5B0908A9397594797A6729E,SHA256=2042810F34ACD6949D2E33DFFB4999DCF29B948F8E7371BE9D9B7A7F360636E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000115612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.949{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3000-00000000A702}2760C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.946{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2E00-00000000A702}2740C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.941{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2D00-00000000A702}2728C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.939{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2C00-00000000A702}2708C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.923{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2B00-00000000A702}2700C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.920{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2A00-00000000A702}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.916{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2800-00000000A702}2656C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000115605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.594{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.594{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81661B25109CDEF763FF814CAA65C8C4,SHA256=915563493F11839E1C5A13431D7F8CB7CB02FA2D05F9109BD07846B846302571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:41.168{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D01590E0461C17D6212EE828C442A3D,SHA256=0087EB167861079B94331D4D8C7035CA90A36D736869EE916F7E8F604370532A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000115603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.456{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2700-00000000A702}2552C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.445{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2600-00000000A702}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.438{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-2500-00000000A702}2468C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.435{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE92-63BE-2300-00000000A702}2324C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.431{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE8A-63BE-1D00-00000000A702}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.429{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1700-00000000A702}1424C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.379{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.363{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1500-00000000A702}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.356{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1400-00000000A702}1120C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.329{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1300-00000000A702}932C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.309{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1200-00000000A702}488C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.294{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1100-00000000A702}412C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.278{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-1000-00000000A702}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.266{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0F00-00000000A702}388C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.245{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0E00-00000000A702}1020C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.231{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE89-63BE-0D00-00000000A702}896C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.214{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE88-63BE-0C00-00000000A702}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 354300x8000000000000000115586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:38.979{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-661.attackrange.local52132-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000115585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.032{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:41.032{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE86-63BE-0900-00000000A702}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000115614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:42.745{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:42.745{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EEBDA9933C51050660C4BAE2BD730B,SHA256=38C263C27892B77AEF0ED1BAB3A052A15A25BB00DE00A19E23894B52ADB0ED80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:42.461{3EE3745C-BE85-63BE-2200-00000000A802}1620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6D9907575A0CA1F6DD8C9829B80453C8,SHA256=017E55147771C303F6FA3700BEB17528AE1A585B46AD215BD463EF1ACB6BE95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:42.256{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7334FFF21D3D6FE6D5B4ED002A958BB5,SHA256=1D305AB0D52DC05832B26F8017B1DDC6DA2EDDF2CBA3C7B4DF18EAC6FD09C536,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000115621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:43.994{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3D00-00000000A702}3280C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:43.993{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE98-63BE-3600-00000000A702}3116C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:43.991{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE97-63BE-3100-00000000A702}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 11241100x8000000000000000115618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:43.819{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:43.819{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6773607AB17783FB295F0FC9E76D9009,SHA256=79BD1DEF67CCC8AE7E8B6BABC772DE74CA826C4DDD9A3F78B3D66270F0B73342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:43.323{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D76A813E348B7944407AEC2364B944,SHA256=9E3E339E9056F6C6F6361B0EA20F73A2378E1ACDAF973F6613D091E6CF56BFD4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000115616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:26:43.726{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x8000000000000000115615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-SetValue2023-01-11 14:26:43.726{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXEHKU\S-1-5-21-2077387376-4232760912-2959047589-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.RkcybereBinary Data 10341000x800000000000000042943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.644{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-C0AB-63BE-C000-00000000A802}588C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.641{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BEFF-63BE-8200-00000000A802}524C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.638{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE98-63BE-7400-00000000A802}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.635{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.634{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE88-63BE-3D00-00000000A802}2812C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.631{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-3C00-00000000A802}3024C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.630{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE87-63BE-2E00-00000000A802}2956C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.628{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2600-00000000A802}2580C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.626{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE86-63BE-2500-00000000A802}2340C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.622{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2200-00000000A802}1620C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.614{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-2000-00000000A802}1288C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.610{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1F00-00000000A802}1992C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.604{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1C00-00000000A802}1912C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.596{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1A00-00000000A802}1896C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.588{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1800-00000000A802}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.584{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1700-00000000A802}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 354300x800000000000000042927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:41.657{3EE3745C-BE91-63BE-6200-00000000A802}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-780.us-east-2.compute.internal50126-false10.0.1.12-8000- 10341000x800000000000000042926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.546{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1600-00000000A802}1224C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.541{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1500-00000000A802}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.507{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1400-00000000A802}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.500{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1300-00000000A802}868C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.488{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1200-00000000A802}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.476{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1100-00000000A802}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.468{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-1000-00000000A802}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.458{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0F00-00000000A802}904C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.441{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE85-63BE-0E00-00000000A802}896C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.435{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0D00-00000000A802}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.427{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0C00-00000000A802}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.421{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0B00-00000000A802}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 10341000x800000000000000042914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.419{3EE3745C-BE85-63BE-2100-00000000A802}15522540C:\Program Files\Aurora-Agent\aurora-agent.exe{3EE3745C-BE84-63BE-0900-00000000A802}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013480190) 23542300x800000000000000042913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-780-2023-01-11 14:26:44.410{3EE3745C-BE98-63BE-7400-00000000A802}3564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E9496D80437FFF88A6A9D806D2B6DB,SHA256=D46AE6B086803ABBF89505E38D8F476FD135FF2F24AA0FF6B448F9FFEBADE973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000115642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.629{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E501-00000000A702}4664C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.627{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E5-63BE-E401-00000000A702}5832C:\Windows\System32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.626{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5E4-63BE-DE01-00000000A702}6156C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.621{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C5DC-63BE-D801-00000000A702}5300C:\Users\Administrator\AppData\Roaming\svchosts.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.619{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C509-63BE-C101-00000000A702}6940C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.617{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A901-00000000A702}6256C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.617{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C46E-63BE-A801-00000000A702}5796C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.615{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-C226-63BE-5B01-00000000A702}4528C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.600{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF91-63BE-AF00-00000000A702}4604C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.585{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF90-63BE-AE00-00000000A702}4168C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.546{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8F-63BE-AD00-00000000A702}5040C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.536{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A500-00000000A702}4540C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.525{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.520{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8C-63BE-9F00-00000000A702}172C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.518{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF8B-63BE-9D00-00000000A702}2144C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.515{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BF11-63BE-8900-00000000A702}3180C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.512{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.506{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BEA4-63BE-7100-00000000A702}3944C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.504{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4500-00000000A702}3588C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.500{7DAC9CB3-BF9C-63BE-B700-00000000A702}58405980C:\Program Files\Aurora-Agent\aurora-agent.exe{7DAC9CB3-BE99-63BE-4400-00000000A702}3552C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039810) 10341000x8000000000000000115622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:44.403{7DAC9CB3-BE89-63BE-0D00-00000000A702}8966096C:\Windows\system32\svchost.exe{7DAC9CB3-BF8E-63BE-A200-00000000A702}4436C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000115675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.133{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2023-01-10 09:32:18.990 23542300x8000000000000000115674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.133{7DAC9CB3-BEAB-63BE-7B00-00000000A702}3632NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9141455492373970FBE0CC63117938,SHA256=413576844088C581A06B799A4A4DA03E79838DDEC6C2464AD1FCAA6FF33A1BC3,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000115673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.030{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.030{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.030{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.030{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.030{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.030{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.030{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 10341000x8000000000000000115666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.030{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.030{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BE87-63BE-0B00-00000000A702}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000115664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.030{7DAC9CB3-BE87-63BE-0B00-00000000A702}6364200C:\Windows\system32\lsass.exe{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000115663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.029{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.029{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.029{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.029{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.029{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.029{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.029{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.027{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.027{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.027{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.027{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 12241200x8000000000000000115652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.027{7DAC9CB3-BE89-63BE-1600-00000000A702}1300C:\Windows\System32\svchost.exeHKCR 734700x8000000000000000115651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.020{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000115650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.020{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000115649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.019{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000115648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x8000000000000000115647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x8000000000000000115646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-CreateKey2023-01-11 14:26:45.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x8000000000000000115645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000115644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.014{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000115643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-661.attackrange.local-2023-01-11 14:26:45.014{7DAC9CB3-BE88-63BE-0C00-00000000A702}8364360C:\Windows\system32\svchost.exe{7DAC9CB3-BF9C-63BE-B700-00000000A702}5840C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791